Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
| Bug#: 80345 | Product: Gentoo Linux | Version: unspecified | Platform: All |
| OS/Version: All | Status: RESOLVED | Severity: normal | Priority: P2 |
| Resolution: FIXED | Assigned To: base-system@gentoo.org | Reported By: greg_g@gentoo.org | |
| Component: Core system | |||
| URL: | |||
| Summary: correct use of SU_WHEEL_ONLY in sys-apps/shadow | |||
| Keywords: | |||
| Status Whiteboard: | |||
| Opened: 2005-02-01 07:50 0000 | |||
| Description: | Opened: 2005-02-01 07:50 0000 |
The current ebuilds for shadow apply a pacth (shadow-4.0.5-login.defs.patch) that sets the default value for SU_WHEEL_ONLY to yes. This applies to non-PAM systems, and was intended to match the behaviour of PAM systems, where pam_wheel is enabled by default (that's explained in the handbook, too). However, the result is not the same: the implementation of SU_WHEEL_ONLY in shadow is such that only users in the group with gid=0 can su to root, and not users belonging to the wheel group. I think we should apply the following patch, which changes the behaviour of SU_WHEEL_ONLY to match PAM (and to be consistent with its name). Maybe this should be also submitted upstream?
Created an attachment (id=50134) [details]
shadow-4.0.7-wheel.patch
added 4.0.7 w/patch & e-mailed patch upstream, thanks
*** Bug 81175 has been marked as a duplicate of this bug. ***
Rather than patching su, how about installing a file /etc/suauth containing the line: root:ALL EXCEPT GROUP wheel:DENY and leaving SU_WHEEL_ONLY as no? See man suauth for details on what this does.