You are not logged in.
On Slackware I was able to limit su use to members of wheel group by creating a suauth file, but this doesn't work for Arch. I think it's because of PAM...
Anyway, is there a way to limit su use to wheel group ?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
IIRC, I think you can do this with visudo...
Offline
visudo would only limit sudo, not the su command itself. No idea how its done, I've never heard of this. I figure it should be possible to chmod the su binary such that only group wheel can execute it. No idea if that's the best way to go about it though.
Dusty
Offline
Oops, my bad. :oops:
Offline
# dir /bin/su
-r-sr-xr-x 1 root root 19912 2004-12-16 07:55 /bin/su
# chgrp wheel /bin/su
# chmod 4550 /bin/su
# dir /bin/su
-r-sr-x--- 1 root wheel 19912 2004-12-16 07:55 /bin/su
Now only group wheel can use su (others get -bash: /bin/su: Permission denied), that's a good workaround. But it will go away when the file su gets updated, no ?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
I have another solution to this problem:
In the directory /etc/pam.d/ there is a file named su, which contains the following data (this is not the complete file):
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
The only thing I did to limit su was to uncomment the 2nd line.
Offline
Indeed, that make sense when we know how it works... Many thanks to you !
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
This should be the default behaviour no? on freebsd it is, because it is the more secure way to have, I created my user with wheel group when i first installed and really i haven't noticed that i could su without being a wheel user
can this be default please ??
[My Blog] | [My Repo] | [My AUR Packages]
Offline
It should be the default IMHO, but in Slackware too it must be enabled manually :?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
Brilliant! I also think it should be the default setting in Arch
Last edited by Zibi1981 (2008-02-19 14:47:53)
"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."
MSI Raider GE78HX 13VI-032PL
Offline