[96148] in RedHat Linux List
RE: Virtualising a Linux system
daemon@ATHENA.MIT.EDU (Simon Garner)
Sat Oct 24 17:01:17 1998
From: "Simon Garner" <sgarner@expio.co.nz>
To: <redhat-list@redhat.com>
Date: Sun, 25 Oct 1998 09:57:12 +1300
In-Reply-To: <Pine.LNX.3.96.981024074514.4936A-100000@sundance.eth>
Resent-From: redhat-list@redhat.com
Reply-To: redhat-list@redhat.com
Hey,
> >c) how can I limit "su" access to a certain group? Obviously I can
> >do it with file permissions but that's easy to get around. I've seen
> >a much better way on another system, where executing "su" as
> >anyone outside the "admin" group gives a message "you must be
> >in the admin group to use su". Any ideas how it's done?
>
> 'sudo' might be want you want here, rather than su.
>
>
> dave
Nope... I want to give less su privelages, not more!
Just did a bit more research. I said "admin" group before, although I
actually meant "wheel." I thought by saying "admin" it would simplify
my description of the problem, although it probably served only to
confuse the issue.
Limiting "su" access to the wheel group would appear to be a standard
feature of other UNIXes, which has been removed from GNU su.
Check this out:
---
Why GNU `su' does not support the `wheel' group
(This section is by Richard Stallman.)
Sometimes a few of the users try to hold total power over all the rest.
For example, in 1984, a few users at the MIT AI lab decided to seize
power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup and
give power back to the users by patching the kernel, but I wouldn't know
how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual `su'
mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel group"
feature would make this impossible, and thus cement the power of the
rulers.
I'm on the side of the masses, not that of the rulers. If you are used to
supporting the bosses and sysadmins in whatever they do, you might
find this idea strange at first.
---
That's all very well and good if you're in a company and don't want to
create an authoritarian system -- but I'm selling access to my system,
and security is paramount. I certainly do not want people taking control
of root access...
Any idea how I can get this functionality back?
Cheers,
Simon Garner.
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.