On Wed, 21 Mar 2001 17:59:31 +0100, Thomas Haeberlen <Haeberlen@RUS.Uni-Stuttgart.DE> wrote:
Ahem... if a user knows the root password, why would you want to keep him or her from becoming root, anyway?
For a second level of protection. I think it is better if only the users who belong to group root can su to root.
If you restricted permissions of su, to members of the "root" group, then other users would not be able to change their "id" at all
That is what others have suggested, but that is a problem.
On the other hand if e.g. you set your box to allow root to log in only on the console and never over the net...
That's not feasible on a box in remote collocation.
but still: if you can't trust the people who know the root password to use "su" correctly, then you probably shouldn't let them know the root password in the first place.
There is only one person who knows the root password, me. I have to log in remotely, most of the time with sshd, but in emergencies, with telnet and then su to root. I don't want other users trying su to root and guessing the password. It would be nice if su had that extra level of protection the way it did on bsdi. Egan