From owner-cvs-all  Sun Oct 13 11: 4:58 2002
Delivered-To: cvs-all@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 89CAE37B401; Sun, 13 Oct 2002 11:04:57 -0700 (PDT)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id AAA1E43E88; Sun, 13 Oct 2002 11:04:55 -0700 (PDT)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.12.4/8.12.4) with SMTP id g9DI4POo034909;
	Sun, 13 Oct 2002 14:04:25 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Sun, 13 Oct 2002 14:04:24 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: Mark Murray <mark@grondar.za>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/etc group 
In-Reply-To: <200210131745.g9DHjO01008151@grimreaper.grondar.org>
Message-ID: <Pine.NEB.3.96L.1021013140304.44458K-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG


On Sun, 13 Oct 2002, Mark Murray wrote:

> >   Leave root in operator for dump/restore broadcast reasons; leave root
> >   in wheel until discrepencies in the "no users in wheel means any user
> >   can su" policy are resolved (possibly indefinitely).
> 
> This sounds like a policy decision that can be handed over to PAM. 

Currently, it is, I believe.  I was sure at one point that we supported a
mode of operation for su that allowed any user to su to root if the wheel
group was empty, and restricted it to the wheel group if it was non-empty. 
That no longer appears to be the case on 5.0, and I haven't got a 4.x box
I can afford to shoot down to experiment with right now on that branch.
Currently, the wheel behavior in the PAM case is entirely encapsulated in
pam_wheel(8). 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Network Associates Laboratories



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message