You are not logged in.
- Topics: Active | Unanswered
#1 2006-03-07 03:12:09
- raskolnikov
- Member
- From: France
- Registered: 2006-01-08
- Posts: 100
Limit su ti wheel group
On Slackware I was able to limit su use to members of wheel group by creating a suauth file, but this doesn't work for Arch. I think it's because of PAM...
Anyway, is there a way to limit su use to wheel group ?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
#2 2006-03-07 03:39:40
- paul2lv
- Member
- From: Vegas
- Registered: 2005-11-09
- Posts: 116
Re: Limit su ti wheel group
IIRC, I think you can do this with visudo...
Offline
#3 2006-03-07 03:52:17
- Dusty
- Schwag Merchant
- From: Medicine Hat, Alberta, Canada
- Registered: 2004-01-18
- Posts: 5,986
- Website
Re: Limit su ti wheel group
visudo would only limit sudo, not the su command itself. No idea how its done, I've never heard of this. I figure it should be possible to chmod the su binary such that only group wheel can execute it. No idea if that's the best way to go about it though.
Dusty
Offline
#4 2006-03-07 04:12:24
- paul2lv
- Member
- From: Vegas
- Registered: 2005-11-09
- Posts: 116
Re: Limit su ti wheel group
Oops, my bad. :oops:
Offline
#5 2006-03-07 11:48:41
- raskolnikov
- Member
- From: France
- Registered: 2006-01-08
- Posts: 100
Re: Limit su ti wheel group
# dir /bin/su
-r-sr-xr-x 1 root root 19912 2004-12-16 07:55 /bin/su
# chgrp wheel /bin/su
# chmod 4550 /bin/su
# dir /bin/su
-r-sr-x--- 1 root wheel 19912 2004-12-16 07:55 /bin/su
Now only group wheel can use su (others get -bash: /bin/su: Permission denied), that's a good workaround. But it will go away when the file su gets updated, no ?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
#6 2006-03-07 21:54:12
- PJ
- Member
- From: Sweden
- Registered: 2005-10-11
- Posts: 602
Re: Limit su ti wheel group
I have another solution to this problem:
In the directory /etc/pam.d/ there is a file named su, which contains the following data (this is not the complete file):
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uidThe only thing I did to limit su was to uncomment the 2nd line.
Offline
#7 2006-03-07 22:03:35
- raskolnikov
- Member
- From: France
- Registered: 2006-01-08
- Posts: 100
Re: Limit su ti wheel group
Indeed, that make sense when we know how it works... Many thanks to you ! 
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
#8 2006-03-07 23:53:50
- _Gandalf_
- Member
- Registered: 2006-01-12
- Posts: 735
Re: Limit su ti wheel group
This should be the default behaviour no? on freebsd it is, because it is the more secure way to have, I created my user with wheel group when i first installed and really i haven't noticed that i could su without being a wheel user
can this be default please ??
[My Blog] | [My Repo] | [My AUR Packages]
Offline
#9 2006-03-08 00:36:20
- raskolnikov
- Member
- From: France
- Registered: 2006-01-08
- Posts: 100
Re: Limit su ti wheel group
It should be the default IMHO, but in Slackware too it must be enabled manually :?
Excessive showering, grooming, and toothbrushing is not only vain, it wastes valuable coding time.
Offline
#10 2008-02-19 14:43:06
- Zibi1981
- Member
- From: Poland
- Registered: 2008-01-31
- Posts: 644
Re: Limit su ti wheel group
Brilliant! I also think it should be the default setting in Arch
Last edited by Zibi1981 (2008-02-19 14:47:53)
"... being a Linux user is sort of like living in a house inhabited by a large family of carpenters and architects. Every morning when you wake up, the house is a little different. Maybe there is a new turret, or some walls have moved. Or perhaps someone has temporarily removed the floor under your bed."
MSI Raider GE78HX 13VI-032PL
Offline