On Thu, 22 Mar 2001 22:52:56 +1100, Nix <suse@nix.hispeed.com> wrote:
I think what he wants is the freebsd style su. Anyone can su to another normal user but only members of group wheel ( read root ) can su to root.
Right.
If you wish to set it exactly the same as the BSD's then use the pam_wheel module as previously discussed by others.
Didn't know about that, but after trying it, it's just what I needed.
There are very good reasons to do defense in depth this way, there are cases where in penetration tests we have compromised the root password (through poor permissions of history files etc) but have been unable to su because of wheel setup)
That's one good reason why I want to control su to root, yet maintain non-root su flexibility for normal users.
On my systems I allow only ssh certificate based logins (no passwords at all) and also enforce the trusted group access.
I have to manage remote servers. There have been times when I needed to stop, or perhaps accidentally stopped sshd (thinking I was logged into a different server). The only way to regain access was via telnet and su to root. Those rare emergency situations where root's password is sent in the clear are an acceptable risk, considering the alternative is not logging in at all, to a server 1,000 miles away. Egan