Subject: Re: Using netgroups in /etc/group
To: Luke Mewburn <lukem@NetBSD.org>
From: Lord Clark Frazier Hale I <xlark@sdf.lonestar.org>
List: netbsd-help
Date: 12/11/2004 20:06:48
On Sat, Dec 11, 2004 at 01:23:09PM +1100, Luke Mewburn wrote:
> Not really.
> 
> The '+/- compat syntax' is triggered off the first character of the
> line, not on each member group.  There would be large increases in
> complexity in libc/getgrent.c for supporting the latter.
> 

That's enlightening.  I've never seen that in any of the assorted 
documetation around the web (or I just missed it, which is entirely 
possible).


> I'm tempted to answer "not really" here too.
> You _could_ use
> 	+wheel:*::
> 	wheel:*:0:root
> and set wheel to the full admins entry in whereever you get
> passwd_compat from (nis, dns, ...), but I'm not comfortable
> recommended that as good sysadmin practice.
> 
> You could replacements for su(1) that do not use "wheel" as
> the access control mechanism (e.g., priv, sudo)

That works for me, though I'm not sure if I'll use it.  The more I think 
about it, the more it seems like a bad idea for wheel.  I think I'll do 
some research on alternavtives, like those you listed.

Thanks very much,

Clark

-- 
Sir Clark Frazier Hale I
xlark@sdf.lonestar.org
For the Snark WAS a bojum, you see.
SDF Public Access UNIX System - http://sdf.lonestar.org
Clayton SuperComputing Centre - http://cscc.homeunix.net