wheel group in linux
So I was wondering if I could set “su” to only allow users in the “wheel” group to su to root like with BSD. I never thought I’d be lucky enough to find another reason why Richard Stallman (the hippy who started the FSF) is an idiot in the process.
The man page pointed me to the info page, which had a very, um, intresting bit of text at the bottom..
Why GNU `su' does not support the `wheel' group =============================================== (This section is by Richard Stallman.) Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.) However, occasionally the rulers do tell someone. Under the usual `su' mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers. I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.
So this is how I understand what he is saying:
- We have bob, mary, and joe all as members of the “wheel” group, all who have the root password.
- Bob gets pissed off because someone symlinked vim to emacs and changes the root password, not telling anyone else what it is.
- Jack (standard user, not in wheel group) somehow finds the password from bob, but is unable to do anything because he is not in the wheel group
- Everyone is screwed
So lets see, if a non-admin user somehow gets the root password we dont WANT him logging into root. If they dont understand how to administer a unix box they’ll most likely end up running ‘rm -rf /’. Assuming bob removed all users but himself from the wheel group, if the require-wheel feature was disabled then Jack could supposedly tell one of the legitamate administrators what the password is so they could regain control of the system, but how likely is it that Mr. pissed off Bob would tell Jack the password unles he had good reason, which would most likely imply that he trusted him not to turn against him. And if bob added Jack himself to the wheel group Jack could just log into his account, and call over an admin to su to root and take care of the situation. I just dont see how this weighs up.
Addionally, he totally ignores the fact that this command is now used on many production buisness servers. In these situations you are much more worried about your users (or intruders) gaining root access than a discruntle employee. I would accept the feature being turned off by default, but not including it for this reason? Come on.
Fortunetly, I found theres a PAM module written by one of the friendly RedHat folks that adds wheel checking support.
Add the following lines to /etc/pam.d/su:
auth required /lib/security/pam_wheel.so use_uid
The readme for the pam_wheel module is avaliable here.
And if you’re REALLY parinoid, check out the new SELinux features in Kernel 2.6 which allows you to get rid of the whole concept of a superuser alltogether.
Categorized as Me, Rants, Technology
LOL Stallman does it again.
My feeling is that if you’re using Stallman’s logic this says that you don’t trust your SysAdmins. If you don’t trust your SysAdmins, fire the lot of them and hire respectable, trustable people.
You don’t need even PAM for su+wheel support. Use su from shadow suite instead of GNU coreutils and you get even two possibilities:
1) Use SU_WHEEL_ONLY in /etc/login.defs
2) Use /etc/suauth which allows detailed configuration
This is how it’s done in Slackware based systems.
You can laugh all you want at Richard Stallman, but he’s the reason why Linux is so popular. Without his GNU software, Linux would be a nice, boring kernel that did nothing. GNU software is what allows us to use gcc, tar, grep, find, and a whole host of other utilities.
Stallman may be somewhat extreme in his views of “the masses”. OK, everyone’s entitled to their pet project or obsession ot whatever. It’s exactly that obsession that motivated Richard to do what he’s done. Without that, I suspect Linux would have remained a curiosity among computer science students, interesting but of no practical value to ordinary users.
Give the man credit where it is due. Linus Torvalds was instrumental in creating Linux, to be sure. Without him, what we call “Linux” wouldn’t exist, either. But Stallman was every bit as important as Torvalds in making Linux a useful, popular operating system (for some value of ‘popular’).
Show a little respect.