LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Can I add a group of users to the wheel group? (http://www.linuxquestions.org/questions/linux-security-4/can-i-add-a-group-of-users-to-the-wheel-group-808919/)

Teleute 05-19-2010 02:36 PM

Can I add a group of users to the wheel group?
 
I have a number of users, categorised into various groups. I would like one of those groups ("developers") to be in the wheel group as well. I don't want to just copy the people from the developers group into wheel, because then when that group changes I'll have to change it in two places. Is there a way to specify that anyone in developers is in wheel, and have that be dynamic?

Thanks!

jcomeau_ictx 05-19-2010 06:38 PM

Sure there are ways, using scripting and
cron, but you are talking about some nasty ad-hockery. Occam would suggest you save "developers" for a time when you need a separate group for non-wheel developers, and just add people to wheel for now.

Teleute 05-19-2010 07:36 PM

Quote:

Originally Posted by jcomeau_ictx (Post 3974756)
Sure there are ways, using scripting and
cron, but you are talking about some nasty ad-hockery. Occam would suggest you save "developers" for a time when you need a separate group for non-wheel developers, and just add people to wheel for now.


There are already many structures/permissions/etc... in place for that developers group, though, and changing them all would be brutal. Plus it's an NIS group. Basically, it has many purposes other than this...

jcomeau_ictx 05-20-2010 09:38 PM

Maybe a good use for FUSE then, but I haven't yet played with it myself, so I'm not sure if it would work. The steps ought to be: write a Python script using python-fuse to output the group file dynamically; rename /etc/group to be /etc/group.fuse; have your script create and handle /mnt/fuse/group based on /etc/group.fuse; and symlink /mnt/fuse/group to /etc/group.

mac.tieu 05-20-2010 09:45 PM

Quote:

Originally Posted by Teleute (Post 3974535)
I have a number of users, categorised into various groups. I would like one of those groups ("developers") to be in the wheel group as well. I don't want to just copy the people from the developers group into wheel, because then when that group changes I'll have to change it in two places. Is there a way to specify that anyone in developers is in wheel, and have that be dynamic?

Thanks!

There is an alternative way to archive: grant all permissions of 'wheel' group to 'developers' group ('/etc/sudoers', ...), I think.

MT.

Teleute 05-20-2010 10:22 PM

Quote:

Originally Posted by mac.tieu (Post 3976092)
There is an alternative way to archive: grant all permissions of 'wheel' group to 'developers' group ('/etc/sudoers', ...), I think.

MT.

Holy crap...nice! One of those things where I'd never think of it, but it seems so simple I kick myself for having missed it. I'm giving this a try first thing tomorrow.

Teleute 05-21-2010 05:30 PM

Quote:

Originally Posted by Teleute (Post 3976115)
Holy crap...nice! One of those things where I'd never think of it, but it seems so simple I kick myself for having missed it. I'm giving this a try first thing tomorrow.

I tried this and it didn't work - however, I did try doing it in /etc/pam.d/su (changed the line "auth required pam_wheel.so use_uid" to "auth required pam_wheel.so group=developers use_uid" and it worked. I did a reference to possibly doing this through pam_access instead, but I need to look into that more. It might be the way to go though, since I think with pam_wheel.so I can only send one group as a parameter, and there might be an occasion where more than one needs to be added...

Thanks for putting me on the right track!

mac.tieu 05-21-2010 09:55 PM

Quote:

Originally Posted by Teleute (Post 3977073)
I tried this and it didn't work - however, I did try doing it in /etc/pam.d/su (changed the line "auth required pam_wheel.so use_uid" to "auth required pam_wheel.so group=developers use_uid" and it worked. I did a reference to possibly doing this through pam_access instead, but I need to look into that more. It might be the way to go though, since I think with pam_wheel.so I can only send one group as a parameter, and there might be an occasion where more than one needs to be added...

Thanks for putting me on the right track!

Which command did not work, 'sudo' or 'su'? I prefer to use 'sudo' command so I just modified 'sudoers' config file.

By the way, try modify your '/etc/pam.d/su' look like:
Code:

auth sufficient pam_wheel.so use_uid
auth sufficient pam_wheel.so group=developers use_uid
auth required pam_deny.so

Regards,
MT.


All times are GMT -5. The time now is 02:11 PM.