From owner-freebsd-current Tue Mar 4 07:39:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id HAA26892 for current-outgoing; Tue, 4 Mar 1997 07:39:02 -0800 (PST) Received: from mole.mole.org (marmot.mole.org [204.216.57.191]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id HAA26887 for ; Tue, 4 Mar 1997 07:38:54 -0800 (PST) Received: (from mail@localhost) by mole.mole.org (8.6.12/8.6.12) id PAA28510; Tue, 4 Mar 1997 15:39:50 GMT Received: from meerkat.mole.org(206.197.192.110) by mole.mole.org via smap (V1.3) id sma028507; Tue Mar 4 15:39:25 1997 Received: (from mrm@localhost) by meerkat.mole.org (8.6.11/8.6.9) id HAA14692; Tue, 4 Mar 1997 07:37:55 -0800 Date: Tue, 4 Mar 1997 07:37:55 -0800 From: "M.R.Murphy" Message-Id: <199703041537.HAA14692@meerkat.mole.org> To: adam@veda.is, mrm@mole.mole.org Subject: Re: cvs commit: src/usr.bin/su su.1 su.c Cc: current@freebsd.org, wollman@lcs.mit.edu Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > I'll grant that the overloading of the use of the "wheel" group > > might have been an injudicious choice. I prefer sudo :-) > > Yep. > > > The current behavior allows the three cases mentioned above: > > > > 1) only root can su, > > 2) named users can su, > > 3) anyone can su > > > > How would the "correct behavior of the command to call getgroups > > and check the result for a GID of 0" provide for the three cases > > above without enumerating all users as in 2)? > > 1) Root is a named user, don't name any others. > 2) Name them (traditionally in group 'wheel', but could be elsewhere). > 3) /etc/su.conf Does any of the 3 immediately above handle the "anyone can su" case, which those who are used to, shudder, System V, might prefer? Ah, yes /etc/su.conf would contain a description of desired behavior, and not an enumeration of users allowed to su. /etc/su.conf, YAFCFIHTP -- yet another control file I have to protect :-) /etc/kerberosIV, /etc/su.conf, /etc/sudoers, /etc/inetd.conf, /etc/passwd, /etc/group, /var/yp/etc/*, .... I want more ways to be root :-) I ask, "What's wrong with leaving it as is and letting those who want more control use sudo?" It's a rhetorical question, since the answer seems to reduce to, "It's fun to hack at things." It is, too; I agree :-) -- Mike Murphy mrm@Mole.ORG +1 619 598 5874 Better is the enemy of Good