You are not logged in.
I noticed recently that user accounts on my machine could su to root even though they weren't in the wheel group. A bit of googling revealed that, in order to enforce this policy, one needs to edit the file /etc/pam.d/su, and in particular, to uncomment the following line (which is commented out by default in Arch):
auth required pam_wheel.so use_uid
I was just curious if anyone knows why this is not the default policy. I was always under the impression that the whole point of the wheel group was to limit root access via su. This is the default on *BSD, as far as I know, but maybe others know more about the evolution of wheel in Linux (and Arch in particular). In any case, it might be helpful to include a mention of this in the wiki article on user accounts, or some other relevant place.
Offline
and what would be the point?
if someone knows root password, then opening console and logging as a root is not a big deal. On the other hand if for security reasons, you want to set passwordless access to root, you will have to modify more than access su only.
Offline
Well, yes, obviously. But in a setup where people only login remotely, with no local console access, then this would seem like an important setting one would want to enforce (along with barring root logins via ssh, which, as I now see, is not Arch's default either). Clearly if root's password is known to someone who shouldn't have it, then you probably have bigger problems. And passwordless login could be used as a way to avoid these issues, as well. But in any case I was interested to learn that the Arch defaults are rather permissive in this regard.
Offline
GNU su (from coreutils), which is what Arch uses, does not support the wheel group restriction. So there is very little point adding one to your pam.conf...
Edit: note that some other distros patch this support in but it is Arch policy to follow the upstream default.
Offline
GNU su (from coreutils), which is what Arch uses, does not support the wheel group restriction. So there is very little point adding one to your pam.conf...
Edit: note that some other distros patch this support in but it is Arch policy to follow the upstream default.
Actually, you do have this patch applied here as well: coreutils-pam.patch. So maybe you need to go read your own PKGBUILD again?
Offline
Wow... so I do! I thought I got rid of that when I did the PKGBUILD cleanup a few months back. Seems I decided not too...
Offline
Wow... so I do! I thought I got rid of that when I did the PKGBUILD cleanup a few months back. Seems I decided not too...
Indeed, and I can confirm that uncommenting the relevant line in /etc/pam.d/su does prevent su-ing to root from accounts that are not in wheel (there's even a comment in the file that tells you which line to uncomment). Well, this has all been interesting and informative. I learn something new just about every day with Arch.
Offline