On 07/13/2014 01:18 PM, Bernhard Voelker wrote:
Well, I was helping in that move, but I don't remember such lines in the PAM configuration files, neither in the old nor in the new ones:
https://build.opensuse.org/package/view_file/openSUSE:12.3/coreutils/su.pamd... https://build.opensuse.org/package/view_file/openSUSE:13.1/util-linux/su.pam...
Have a nice day, Berny
You guys deal with recent history. I don't know when they were dropped, but they were there in every version of SuSE/openSuSE as long as I can remember up to at least 11.4. E.g.: [02:56 lakehouse/home/david] # cat /etc/SuSE-release openSUSE 10.3 (i586) VERSION = 10.3 [02:56 lakehouse/home/david] # cat /etc/pam.d/su #%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so Why would you want to drop them when they still serve a valid purpose? Security related to prevent compromise of a user account allowing further privilege escalation? I'm not sure that makes much sense since it would require cracking a user who is also a member of the wheel group, but the second also tightens security by requiring the user be member of wheel to su.. If you can recall the reason, I'm interested in knowing. You've go me curious now. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org