Subject: Re: "su" in rescue?
To: Jun-ichiro itojun Hagino <firstname.lastname@example.org>
From: Roland C. Dowdeswell <email@example.com>
Date: 06/23/2004 16:02:15
On 1088002799 seconds since the Beginning of the UNIX epoch
Jun-ichiro itojun Hagino wrote:
> so - how about adding "su" in rescue binary? there may be file
> size issue (due to addition of password check routine). or, if
> we make "su" runnable by people in wheel group, we can skip password
> check? (leaving a room with logged-in terminal has always risk so
> it just increases risk factor)
I would feel rather uncomfortable about having a su(1) in /rescue
that did not prompt for a root password, but rather just checked
for membership in the wheel group. It would in effect remove almost
the entire reason for having a root password to begin with, let
alone the effect on a properly Kerberised environment, etc.
If we do decide to put a su(1) in /rescue, we should try to ensure
that it provides a [not nec. proper] subset of the functionality
of /usr/bin/su and provides said functionality with the same code
as one finds in /usr/bin/su.
Roland Dowdeswell http://www.Imrryr.ORG/~elric/