From owner-cvs-usrbin  Mon Feb 24 15:11:08 1997
Return-Path: <owner-cvs-usrbin>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id PAA27037
          for cvs-usrbin-outgoing; Mon, 24 Feb 1997 15:11:08 -0800 (PST)
Received: from panda.hilink.com.au (panda.hilink.com.au [203.2.144.5])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA26724;
          Mon, 24 Feb 1997 15:08:50 -0800 (PST)
Received: (from danny@localhost) by panda.hilink.com.au (8.8.5/8.7.3) id KAA05423; Tue, 25 Feb 1997 10:17:10 +1100 (EST)
Date: Tue, 25 Feb 1997 10:17:09 +1100 (EST)
From: "Daniel O'Callaghan" <danny@panda.hilink.com.au>
To: =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= <ache@nagual.ru>
cc: Guido van Rooij <guido@freefall.freebsd.org>,
        CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org,
        cvs-usrbin@freefall.freebsd.org
Subject: Re: cvs commit: src/usr.bin/su su.1 su.c
In-Reply-To: <Pine.BSF.3.95q.970225010600.1497A-100000@nagual.ru>
Message-ID: <Pine.BSF.3.91.970225100134.8268j-100000@panda.hilink.com.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-usrbin@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Tue, 25 Feb 1997, =?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?= wrote:

> On Mon, 24 Feb 1997, Guido van Rooij wrote:
> 
> > guido       97/02/24 12:32:27
> > 
> >   Modified:    usr.bin/su  su.1 su.c
> >   Log:
> >   When group wheel is empty, allow everyone to su to root. This has normally
> >   no conseqeunces as we ship with a non-empty wheel.
> 
> I disagree. Some sysadmins intentionally make it empty to disallow 'su'
> and allow only root login from console. Also implicit defaults in this way
> can be potential hole. Direct list of users here shows better who
> currently have access than empty default with unknown users list, please
> back it out.

What about an explicit entry for 'everyone'?
e.g. wheel:*:0:*

I'd much rather have people actively decide to allow su access than 
passively allow it.

Danny