FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 05-05-2011, 11:53 PM
Henrique de Moraes Holschuh
 
Default wheel group

On Fri, 06 May 2011, Stanisław Findeisen wrote:
> Why is there no wheel group by default in Debian GNU/Linux?

Because we do not enable pam_wheel by default, so it is not needed by
default.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110505235323.GA2535@khazad-dum.debian.net">http://lists.debian.org/20110505235323.GA2535@khazad-dum.debian.net
 
Old 05-06-2011, 10:18 AM
Stanisław Findeisen
 
Default wheel group

Heh, that's what this question is about. :-)

Restricting certain privileges (like su root) to certain users only
looks more secure than letting everyone do it... Is there any particular
reason Debian GNU/Linux is so permissive by default?

--=20
Eisenbits - proven software solutions: http://www.eisenbits.com/
OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0
 
Old 05-06-2011, 12:03 PM
Sujit Karatparambil
 
Default wheel group

> Heh, that's what this question is about. :-)

http://unix.stackexchange.com/questions/4460/why-is-debian-not-creating-the-wheel-group-by-default

> Restricting certain privileges (like su root) to certain users only
> looks more secure than letting everyone do it... Is there any particular
> reason Debian GNU/Linux is so permissive by default?
>

man pam could help?

> --=20
> Eisenbits - proven software solutions: http://www.eisenbits.com/
> OpenPGP: E3D9 C030 88F5 D254 434C 6683 17DD 22A0 8A3B 5CC0
>
>


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=aJxPi9xRUPe_W6rUcvQ0A6OECPg@mail.gmail.com ">http://lists.debian.org/BANLkTi=aJxPi9xRUPe_W6rUcvQ0A6OECPg@mail.gmail.com
 
Old 05-06-2011, 12:04 PM
Marc Haber
 
Default wheel group

On Fri, 06 May 2011 12:18:20 +0200, Stanis?aw Findeisen
<stf@eisenbits.com> wrote:
>On 2011-05-06 01:53, Henrique de Moraes Holschuh wrote:
>> On Fri, 06 May 2011, Stanis=C5=82aw Findeisen wrote:
>>> Why is there no wheel group by default in Debian GNU/Linux?
>>=20
>> Because we do not enable pam_wheel by default, so it is not needed by
>> default.
>
>Heh, that's what this question is about. :-)
>
>Restricting certain privileges (like su root) to certain users only
>looks more secure than letting everyone do it... Is there any particular
>reason Debian GNU/Linux is so permissive by default?

I guess that it was once decided to protect root with a password.
Also, there is a nosu group that can be used to prohibit the use of
su.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " | http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: E1QIJli-0002nH-5H@swivel.zugschlus.de">http://lists.debian.org/E1QIJli-0002nH-5H@swivel.zugschlus.de
 
Old 05-06-2011, 03:20 PM
Henrique de Moraes Holschuh
 
Default wheel group

On Fri, 06 May 2011, Stanisław Findeisen wrote:
> > Because we do not enable pam_wheel by default, so it is not needed by
> > default.
>
> Heh, that's what this question is about. :-)

Then ask it directly :-p

> Restricting certain privileges (like su root) to certain users only
> looks more secure than letting everyone do it... Is there any particular
> reason Debian GNU/Linux is so permissive by default?

Beats me. I am one of those who fight to keep braindamage such as
wide-open "sudo su -" and password-less root accounts away from Debian,
so asking me about it would be moot.

File a wishlist bug against the debian-installer (if one doesn't exist
already), requesting the optional support of pam_wheel at install time.
AFTER that gets implemented, one can talk about whether it should be the
default or not.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110506152016.GA12452@khazad-dum.debian.net">http://lists.debian.org/20110506152016.GA12452@khazad-dum.debian.net
 
Old 05-06-2011, 04:37 PM
Steve Langasek
 
Default wheel group

On Fri, May 06, 2011 at 12:20:17PM -0300, Henrique de Moraes Holschuh wrote:
> On Fri, 06 May 2011, Stanisław Findeisen wrote:
> > Restricting certain privileges (like su root) to certain users only
> > looks more secure than letting everyone do it... Is there any particular
> > reason Debian GNU/Linux is so permissive by default?

> Beats me. I am one of those who fight to keep braindamage such as
> wide-open "sudo su -" and password-less root accounts away from Debian,
> so asking me about it would be moot.

> File a wishlist bug against the debian-installer (if one doesn't exist
> already), requesting the optional support of pam_wheel at install time.

No. /etc/pam.d/su is a conffile owned by the login package; you need to
file a bug there first and get the maintainers to provide a policy-compliant
mechanism for configuring this change to the file. *Then* you can talk to
the installer team about supporting it (if debconf doesn't already give you
that automatically).

But I hope the login maintainers 'wontfix' any such bug report. This is a
silly edge case to spend time making configurable via the installer.

--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110506163733.GA17853@virgil.dodds.net">http://lists.debian.org/20110506163733.GA17853@virgil.dodds.net
 
Old 05-07-2011, 07:33 AM
Christian PERRIER
 
Default wheel group

Quoting Steve Langasek (vorlon@debian.org):

> But I hope the login maintainers 'wontfix' any such bug report. This is a


I suspect they would, yes....based on the advice of people they trust
for such things..:-)

(imho, such case is indeed something where the Technical Comittee has
added value if I refer to some recent interviews I read..:-))
 
Old 05-09-2011, 07:06 PM
Aaron Toponce
 
Default wheel group

On Fri, May 06, 2011 at 01:10:07AM +0200, Stanisław Findeisen wrote:
> Why is there no wheel group by default in Debian GNU/Linux?

In essence, it is there, it's just not using the "wheel" group name as you
find on Red Hat based systems. Instead, add the user to the "root" group.
Further, as is usually standard with wheel group installations, you can
edit the /etc/pam.d/su config file, and uncomment one or both of the
following lines:

# Uncomment this to force users to be a member of group root
# before they can use `su'. You can also add "group=foo"
# to the end of this line if you want to use a group other
# than the default "root" (but this may have side effect of
# denying "root" user, unless she's a member of "foo" or explicitly
# permitted earlier by e.g. "sufficient pam_rootok.so").
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth required pam_wheel.so

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth sufficient pam_wheel.so trust

Because I'm the only user on my personal systems, I uncomment the
"sufficient" line (with my user in the "root" group, of course), to get
access to root without entering my password. This also works with sudo(8).
This should be exactly what you are looking for.

--
. o . o . o . . o o . . . o .
. . o . o o o . o . o o . . o
o o o . o . . o o o o . o o o
 

Thread Tools




All times are GMT. The time now is 07:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org