From owner-freebsd-doc  Wed Jul 25  8:32:23 2001
Delivered-To: freebsd-doc@freebsd.org
Received: from gekko.i-clue.de (server.ms-agentur.de [62.153.134.194])
	by hub.freebsd.org (Postfix) with ESMTP id E56BC37B418
	for <doc@FreeBSD.ORG>; Wed, 25 Jul 2001 08:31:39 -0700 (PDT)
	(envelope-from so@server.i-clue.de)
Received: from i-clue.de (automatix.i-clue.de [192.168.0.112])
	by gekko.i-clue.de (8.9.3/8.9.3/SuSE Linux 8.9.3-0.1) with ESMTP id RAA06547;
	Wed, 25 Jul 2001 17:39:42 +0200
Message-ID: <3B5EE6EA.95EABFE0@i-clue.de>
Date: Wed, 25 Jul 2001 17:34:02 +0200
From: Christoph Sold <so@server.i-clue.de>
Reply-To: so@server.i-clue.de
X-Mailer: Mozilla 4.78 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: dan@langille.org
Cc: doc@FreeBSD.ORG
Subject: Re: handbook: securing root and staff account
References: <200107251353.f6PDrS428325@lists.unixathome.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-doc@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-doc.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-doc>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-doc>
X-Loop: FreeBSD.org



Dan Langille wrote:
> 
> Does anyone else think that this excerpt is not very clear?  What is
> trying to be said here?
> 
> ###
> One way to make root accessible is to add appropriate staff accounts to
> the wheel group (in /etc/group). The staff members placed in the wheel
> group are allowed to su to root. You should never give staff members
> native wheel access by putting them in the wheel group in their
> password entry. Staff accounts should be placed in a staff group, and
> then added to the wheel group via the /etc/group file. Only those staff
> members who actually need to have root access should be
> placed in the wheel group.
> ###
> 
> There was some discussion about this.  I suspect what is trying to be
> said above is:
> 
> Don't do this:
> 
>   mike:*:1009:0::0:0:Mike Rumsey:/home/mike:/usr/local/bin/bash
> 
> i.e. group id =0
> 
> do this:
> 
>   mike:*:1009:1009::0:0:Mike Rumsey:/home/mike:/usr/local/bin/bash
> 
>   wheel:*:0:root,mike
> 
> It has been said they are saying this:
> 
>   wheel:*:0:root,staff
>    staff:*:20:root,mike
> 
> Comments?

I interpret this plainly as

mike:*:1009:1000:0::0:0:Mike Rumsey:/home/mike:/usr/local/bin/bash
me:*:1010:1000:0::0:0:Sysop Dummy:/home/me:/bin/sh

wheel:*:0:mike,me
staff:*:1000:

Anyhow, both things will have their benefits.

Just my EUR.02
-Christoph Sold

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message