Re: GNU su and the wheel group

[Martin Guy]

David Kastrup <dak@gnu.org> wrote in message 
news:<x5oejhk5mr.fsf@lola.goethe.zz>...
> <telford@xenon.triode.net.au> writes:
> > Sam Holden <sholden@flexal.cs.usyd.edu.au> wrote:
> >> On Mon, 04 Oct 2004 23:25:49 -0400, Paul Jarc <prj@po.cwru.edu> wrote:
> >>><telford@xenon.triode.net.au> wrote:
> >>>> [root]# ls -l /bin/su
> >>>> -rwsr-x---    1 root     wheel       94625 Oct 12  2003 /bin/su
> >>>>
> >>>> Now only members of the wheel group can run su... how exciting!
> >>>
> >>> And I would say that this itself makes a better argument against
> >>> having code in su to check for the wheel group.

Well, you may be able to please everybody by configuring su's
behaviour in /etc/suauth to stop non-wheel users from even *trying* to
become root:

root:ALL EXCEPT GROUP wheel:DENY

(assuming you have a version of su that uses /etc/suauth - GNU su
does;
System V su seems not to)

> >> What about the poor souls who want to su from one user account to
> >> another?
> >
> > How realistic is this?
> 
> Very realistic.  It is very common that one user asks another "I am
> having this and that problem, it does not work here" and then the
> other user comes over, uses su in an xterm to get into his own
> account, picks the necessary information, does a copy&paste job or
> whatever else, and logs out again.

In general, su-ing from an insecure account to a secure one is a no-no
since the insecure account can have its own program called "su" in
$HOME/bin which turns character echo off, prints "Password: ", reads
and
mails the password and then says "Sorry."   Of course this may not be
an issue in your specific context.
Su-ing from secure to insecure accounts instead does not have this
problem.

   M