Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello,
I've used BSD in the past and I have to say I like the way SU access works with the "wheel" group.
I am curious as to how I could enable the same type of security or access restriction in linux, not BSD.
I've looked online and here, all I get is mouse wheel hits. Nothing about how to enable that "feature".
I believe the "wheel" group exists by default on any linux install, but it is essentially not used.
Does anyone know how I can setup the wheel group to restrict SU access in linux?
I'm using slackware if it matters, currently on a 2.4.x kernel.
Actually the wheel group does exist in Slackware, but I think only root is added by default. You need to edit your /etc/group file and include the users you want in that group on the wheel line. I then edited the sudoers file (using visudo) to give the wheel group access to commands using sudo.
Yah,
I am aware that the group "wheel" exists that, however, any user can SU to root regardless of what group they are in.
I want to prohibit access to SU unless the user is in "wheel". That is how it is in BSD, not in linux.
I don't want to give the group "wheel" full sudo access, I want to prohibit SU access from all accounts except my own. Then I'll give myself SUDO access for certain commands that I might need to use.
This keeps anyone else from SUing (or trying) in as root and limits the number of times I actually have to be root. Since it's better to use SUDO than SU, when performing a single or a few tasks that require root access.
I'm not talking about going to these lengths on my lappy, this will be for my server, which will most likely have multiple logins for friends, family, etc.
Ah, sorry I misunderstood what you were after. Anyway, I think this will do the trick:
Use chown to set the ownership of su to root:wheel and then set the permissions so that only root or the group can execute it (something like 710). I think you need to also set the suid to root (chmod u+s) to get back to the way the su should work. I think this should limit su access to the wheel group, but if anyone has dissenting opinions, I'm sure they'll post.
Ahh,
I wasn't aware of how *BSD implemented that feature, but doing it using file permissions would work.
I'll try that on my laptop to test it out when I get home. Thanks for the input.
Also, if anyone does have an alternative or thinks that isn't the best way, please do tell.
-Jason
Originally posted by Hangdog42 Ah, sorry I misunderstood what you were after. Anyway, I think this will do the trick:
Use chown to set the ownership of su to root:wheel and then set the permissions so that only root or the group can execute it (something like 710). I think you need to also set the suid to root (chmod u+s) to get back to the way the su should work. I think this should limit su access to the wheel group, but if anyone has dissenting opinions, I'm sure they'll post.
This is a solution too, but there is a better (imho) solution.
I see that you are using Slackware, so i will describe the Non-PAM way (With the PAM the procedure is almost the same)
If you see the file "/etc/login.defs" there are many options regarding login (as its name implies)
I quote a section from this file (/etc/login.defs)
Code:
#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY no
This is the default entry. If you change the "no" to "yes" then you will have what you want.
The only problem with BSD's approach is the fact that the wheel group is gid 0. I wouldn't want to give this gid away and their criticism of the GNU criticism of the wheel approach fails here. Where's the security if you give away this gid? Fortunately, just creating a "su" group and changing the name in /etc/pam.d/su makes it really secure in these systems
I think I understand what you mean. You don't want to give out UID or PID 0, they might not necessarily have the same access rights, but it's close.
Thing is, only I will be in the wheel group. No one else. I essentially want to limit SU attempts to me only, if anyone else NEEDS root access, I'll use sudo.
If I were to "give out" wheel memberships I would make an alternate group for it.
Thanks for the extra info,
-Jason
Yeah, the wheel group is GID 0 on BSD, but it's not the same thing in Gentoo where it's non-zero. Usually, Linux distributions use the GID 0 to the root group so there's no problem (I think) with all Linux distros
I've never been thrilled with the idea of wheel for these reasons:
Everybody knows about it. Every script-kiddie on the planet will try to use it.
It's very easy to get suckered into the sheer laziness (imho) of making "your personal account" almost-all-powerful. It should be "an ordinary Joe or Jane in every way."
Wheel is useful if there are a group of system maintenance accounts, but I think that it's much safer to have one "maintenance account" and to have the several maintenance-personnel all know it. Access-Control Lists (ACLs) also make things like this much simpler than they used to be.
If the system maintenance group isn'twheel, that's just one more thing that a script-kiddie would have to guess. And of course, script-kiddies don't guess anything at all.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.