| Summary: | Change the group ownership on su to wheel | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | David Gurvich <david.gurvich> |
| Component: | Default Configs | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED WONTFIX | ||
| Severity: | normal | CC: | base-system, sascha-gentoo-bugzilla, tazgen |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
David Gurvich
2006-07-01 07:02:53 UTC
mhhhh, base-system and security, how do we think about this? I'm not a Gentoo developer, but it's already possible to configure su the way the reporter wants and AFAIR it's even the default (I do NOT want this behaviour, so it's commented out on my system): === Begin /etc/pam.d/su === [...] # Comment this to allow any user, even those not in the 'wheel' # group to su # auth required /lib/security/pam_wheel.so use_uid [...] === End /etc/pam.d/su === I'm not a dev, however pam is used as the athenticating agent, so even though the group ownership is root:root, only users in the wheel group can authenticate by default. Control of who can authenticate can be changed by altering the pam configuration for su, and iirc, if you change the ownership, it could break pam being able to handle this. Ahmed (taz) this is already handled inside of su itself: # # If "yes", the user must be listed as a member of the first gid 0 group # in /etc/group (called "root" on most Linux systems) to be able to "su" # to uid 0 accounts. If the group doesn't exist or is empty, no one # will be able to "su" to uid 0. # SU_WHEEL_ONLY yes |
