SU access and the "wheel" group

username17 · 11-07-2005, 02:33 PM

Hello,
I've used BSD in the past and I have to say I like the way SU access works with the "wheel" group.

I am curious as to how I could enable the same type of security or access restriction in linux, not BSD.

I've looked online and here, all I get is mouse wheel hits. Nothing about how to enable that "feature".

I believe the "wheel" group exists by default on any linux install, but it is essentially not used.
Does anyone know how I can setup the wheel group to restrict SU access in linux?
I'm using slackware if it matters, currently on a 2.4.x kernel.

Thanks,
-Jason

Hangdog42 · 11-07-2005, 02:48 PM

Actually the wheel group does exist in Slackware, but I think only root is added by default. You need to edit your /etc/group file and include the users you want in that group on the wheel line. I then edited the sudoers file (using visudo) to give the wheel group access to commands using sudo.

username17 · 11-07-2005, 02:57 PM

Yah,
I am aware that the group "wheel" exists that, however, any user can SU to root regardless of what group they are in.

I want to prohibit access to SU unless the user is in "wheel". That is how it is in BSD, not in linux.

I don't want to give the group "wheel" full sudo access, I want to prohibit SU access from all accounts except my own. Then I'll give myself SUDO access for certain commands that I might need to use.

This keeps anyone else from SUing (or trying) in as root and limits the number of times I actually have to be root. Since it's better to use SUDO than SU, when performing a single or a few tasks that require root access.

I'm not talking about going to these lengths on my lappy, this will be for my server, which will most likely have multiple logins for friends, family, etc.

Hangdog42 · 11-07-2005, 03:20 PM

Ah, sorry I misunderstood what you were after. Anyway, I think this will do the trick:

Use chown to set the ownership of su to root:wheel and then set the permissions so that only root or the group can execute it (something like 710). I think you need to also set the suid to root (chmod u+s) to get back to the way the su should work. I think this should limit su access to the wheel group, but if anyone has dissenting opinions, I'm sure they'll post.

username17 · 11-07-2005, 03:25 PM

Ahh,
I wasn't aware of how *BSD implemented that feature, but doing it using file permissions would work.
I'll try that on my laptop to test it out when I get home. Thanks for the input.

Also, if anyone does have an alternative or thinks that isn't the best way, please do tell.
-Jason

imitheos · 11-07-2005, 04:03 PM

Quote:

Originally posted by Hangdog42
Ah, sorry I misunderstood what you were after. Anyway, I think this will do the trick:

Use chown to set the ownership of su to root:wheel and then set the permissions so that only root or the group can execute it (something like 710). I think you need to also set the suid to root (chmod u+s) to get back to the way the su should work. I think this should limit su access to the wheel group, but if anyone has dissenting opinions, I'm sure they'll post.

This is a solution too, but there is a better (imho) solution.

I see that you are using Slackware, so i will describe the Non-PAM way (With the PAM the procedure is almost the same)

If you see the file "/etc/login.defs" there are many options regarding login (as its name implies)

I quote a section from this file (/etc/login.defs)

Code:

#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY   no

This is the default entry. If you change the "no" to "yes" then you will have what you want.

username17 · 11-07-2005, 04:13 PM

Excellent!

I was hoping it was just a configuration file I could change.

Thanks to the both of you!
-Jason

Hangdog42 · 11-07-2005, 04:45 PM

Wow. That is a lot more elegant solution than mine. Thanks!

primo · 11-07-2005, 08:44 PM

The only problem with BSD's approach is the fact that the wheel group is gid 0. I wouldn't want to give this gid away and their criticism of the GNU criticism of the wheel approach fails here. Where's the security if you give away this gid? Fortunately, just creating a "su" group and changing the name in /etc/pam.d/su makes it really secure in these systems

username17 · 11-08-2005, 01:27 PM

I think I understand what you mean. You don't want to give out UID or PID 0, they might not necessarily have the same access rights, but it's close.

Thing is, only I will be in the wheel group. No one else. I essentially want to limit SU attempts to me only, if anyone else NEEDS root access, I'll use sudo.

If I were to "give out" wheel memberships I would make an alternate group for it.
Thanks for the extra info,
-Jason

primo · 11-08-2005, 01:47 PM

Yeah, the wheel group is GID 0 on BSD, but it's not the same thing in Gentoo where it's non-zero. Usually, Linux distributions use the GID 0 to the root group so there's no problem (I think) with all Linux distros

sundialsvcs · 11-09-2005, 06:10 PM

I've never been thrilled with the idea of wheel for these reasons:

Everybody knows about it. Every script-kiddie on the planet will try to use it.
It's very easy to get suckered into the sheer laziness (imho) of making "your personal account" almost-all-powerful. It should be "an ordinary Joe or Jane in every way."
Wheel is useful if there are a group of system maintenance accounts, but I think that it's much safer to have one "maintenance account" and to have the several maintenance-personnel all know it. Access-Control Lists (ACLs) also make things like this much simpler than they used to be.
If the system maintenance group isn't wheel, that's just one more thing that a script-kiddie would have to guess. And of course, script-kiddies don't guess anything at all.