The current permissions and ownership on su allow any user to su to root, and are -rws--x--x 1 root root The BSDs do not have that security gap, with su acting much like sudo and requiring that the user be in the wheel group to use su. If the group that su belongs to were change to 'wheel' from 'root' that would have a similar effect on Gentoo.
mhhhh, base-system and security, how do we think about this?
I'm not a Gentoo developer, but it's already possible to configure su the way the reporter wants and AFAIR it's even the default (I do NOT want this behaviour, so it's commented out on my system): === Begin /etc/pam.d/su === [...] # Comment this to allow any user, even those not in the 'wheel' # group to su # auth required /lib/security/pam_wheel.so use_uid [...] === End /etc/pam.d/su ===
I'm not a dev, however pam is used as the athenticating agent, so even though the group ownership is root:root, only users in the wheel group can authenticate by default. Control of who can authenticate can be changed by altering the pam configuration for su, and iirc, if you change the ownership, it could break pam being able to handle this. Ahmed (taz)
this is already handled inside of su itself: # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # SU_WHEEL_ONLY yes
