From owner-freebsd-doc  Wed Jul 25  7:34:21 2001
Delivered-To: freebsd-doc@freebsd.org
Received: from lists.unixathome.org (lists.unixathome.org [210.48.103.158])
	by hub.freebsd.org (Postfix) with ESMTP id 02B8037B41E
	for <doc@freebsd.org>; Wed, 25 Jul 2001 06:53:31 -0700 (PDT)
	(envelope-from dan@langille.org)
Received: from wocker (lists.unixathome.org [210.48.103.158])
	by lists.unixathome.org (8.11.1/8.11.1) with ESMTP id f6PDrS428325
	for <doc@freebsd.org>; Thu, 26 Jul 2001 01:53:28 +1200 (NZST)
	(envelope-from dan@langille.org)
Message-Id: <200107251353.f6PDrS428325@lists.unixathome.org>
From: "Dan Langille" <dan@langille.org>
Organization: novice in training
To: doc@freebsd.org
Date: Wed, 25 Jul 2001 09:53:26 -0400
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: handbook: securing root and staff account
Reply-To: dan@langille.org
X-mailer: Pegasus Mail for Win32 (v3.12c)
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org

Does anyone else think that this excerpt is not very clear?  What is 
trying to be said here?

###
One way to make root accessible is to add appropriate staff accounts to 
the wheel group (in /etc/group). The staff members placed in the wheel 
group are allowed to su to root. You should never give staff members 
native wheel access by putting them in the wheel group in their 
password entry. Staff accounts should be placed in a staff group, and 
then added to the wheel group via the /etc/group file. Only those staff 
members who actually need to have root access should be  
placed in the wheel group.
###

There was some discussion about this.  I suspect what is trying to be 
said above is:

Don't do this:

  mike:*:1009:0::0:0:Mike Rumsey:/home/mike:/usr/local/bin/bash

i.e. group id =0

do this:

  mike:*:1009:1009::0:0:Mike Rumsey:/home/mike:/usr/local/bin/bash

  wheel:*:0:root,mike

It has been said they are saying this:

  wheel:*:0:root,staff
   staff:*:20:root,mike

Comments?

-- 
Dan Langille
pgpkey - finger dan@unixathome.org | http://unixathome.org/finger.php

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message