SU access and the "wheel" group
Hello,
I've used BSD in the past and I have to say I like the way SU access works with the "wheel" group. I am curious as to how I could enable the same type of security or access restriction in linux, not BSD. I've looked online and here, all I get is mouse wheel hits. Nothing about how to enable that "feature". I believe the "wheel" group exists by default on any linux install, but it is essentially not used. Does anyone know how I can setup the wheel group to restrict SU access in linux? I'm using slackware if it matters, currently on a 2.4.x kernel. Thanks, -Jason |
Actually the wheel group does exist in Slackware, but I think only root is added by default. You need to edit your /etc/group file and include the users you want in that group on the wheel line. I then edited the sudoers file (using visudo) to give the wheel group access to commands using sudo.
|
Yah,
I am aware that the group "wheel" exists that, however, any user can SU to root regardless of what group they are in. I want to prohibit access to SU unless the user is in "wheel". That is how it is in BSD, not in linux. I don't want to give the group "wheel" full sudo access, I want to prohibit SU access from all accounts except my own. Then I'll give myself SUDO access for certain commands that I might need to use. This keeps anyone else from SUing (or trying) in as root and limits the number of times I actually have to be root. Since it's better to use SUDO than SU, when performing a single or a few tasks that require root access. I'm not talking about going to these lengths on my lappy, this will be for my server, which will most likely have multiple logins for friends, family, etc. |
Ah, sorry I misunderstood what you were after. Anyway, I think this will do the trick:
Use chown to set the ownership of su to root:wheel and then set the permissions so that only root or the group can execute it (something like 710). I think you need to also set the suid to root (chmod u+s) to get back to the way the su should work. I think this should limit su access to the wheel group, but if anyone has dissenting opinions, I'm sure they'll post. |
Ahh,
I wasn't aware of how *BSD implemented that feature, but doing it using file permissions would work. I'll try that on my laptop to test it out when I get home. Thanks for the input. Also, if anyone does have an alternative or thinks that isn't the best way, please do tell. -Jason |
Quote:
I see that you are using Slackware, so i will describe the Non-PAM way (With the PAM the procedure is almost the same) If you see the file "/etc/login.defs" there are many options regarding login (as its name implies) I quote a section from this file (/etc/login.defs) Code:
# |
Excellent!
I was hoping it was just a configuration file I could change. Thanks to the both of you! -Jason |
Wow. That is a lot more elegant solution than mine. Thanks!
|
The only problem with BSD's approach is the fact that the wheel group is gid 0. I wouldn't want to give this gid away and their criticism of the GNU criticism of the wheel approach fails here. Where's the security if you give away this gid? Fortunately, just creating a "su" group and changing the name in /etc/pam.d/su makes it really secure in these systems
|
I think I understand what you mean. You don't want to give out UID or PID 0, they might not necessarily have the same access rights, but it's close.
Thing is, only I will be in the wheel group. No one else. I essentially want to limit SU attempts to me only, if anyone else NEEDS root access, I'll use sudo. If I were to "give out" wheel memberships I would make an alternate group for it. Thanks for the extra info, -Jason |
Yeah, the wheel group is GID 0 on BSD, but it's not the same thing in Gentoo where it's non-zero. Usually, Linux distributions use the GID 0 to the root group so there's no problem (I think) with all Linux distros
|
I've never been thrilled with the idea of wheel for these reasons:
|
All times are GMT -5. The time now is 06:29 AM. |