From owner-cvs-usrbin Mon Feb 24 15:28:27 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id PAA28752 for cvs-usrbin-outgoing; Mon, 24 Feb 1997 15:28:27 -0800 (PST) Received: from veda.is (ubiq.veda.is [193.4.230.60]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA28636; Mon, 24 Feb 1997 15:27:59 -0800 (PST) Received: (from adam@localhost) by veda.is (8.8.4/8.7.3) id XAA27438; Mon, 24 Feb 1997 23:39:56 GMT From: Adam David Message-Id: <199702242339.XAA27438@veda.is> Subject: Re: cvs commit: src/usr.bin/su su.1 su.c In-Reply-To: from "[______ ______]" at "Feb 25, 97 01:09:04 am" To: ache@nagual.ru (=?KOI8-R?B?4c7E0sXKIP7F0s7P1w==?=) Date: Mon, 24 Feb 1997 23:39:55 +0000 (GMT) Cc: guido@freefall.freebsd.org, CVS-committers@freefall.freebsd.org, cvs-all@freefall.freebsd.org, cvs-usrbin@freefall.freebsd.org X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-cvs-usrbin@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > guido 97/02/24 12:32:27 > > > > Modified: usr.bin/su su.1 su.c > > Log: > > When group wheel is empty, allow everyone to su to root. This has normally > > no conseqeunces as we ship with a non-empty wheel. [Andrey] > I disagree. Some sysadmins intentionally make it empty to disallow 'su' > and allow only root login from console. Also implicit defaults in this way > can be potential hole. Direct list of users here shows better who > currently have access than empty default with unknown users list, please > back it out. Please leave it as it is now. If you make root the only member of wheel, that gives the behaviour that you seek. This is naturally intuitive. wheel:*:0:root,... #named users can su wheel:*:0:root #"only root can su" wheel:*:0: #anyone can su The 3rd line is "anyone" because "noone" would be equivalent to the 2nd line, since root (by definition) can always su. Sorry if I didn't state it clearly, it is really obvious though. Adam