Bug 12161 - wheel group functionality
wheel group functionality
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: sh-utils (Show other bugs)
7.1
noarch Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-06-12 16:29 EDT by Christian Rose
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-06-30 18:51:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Christian Rose 2000-06-12 16:29:14 EDT
I think that wheel group functionality is one security related thing that
could be enabled by default in the next release of Red Hat. The "wheel"
group thing is relly easy to add in Red Hat after installation thanks to
PAM, but it always annoys me that I have to manually enable it, and that it
is turned off by default.

The "wheel group" functionality is a default one in FreeBSD. The "wheel"
group is a group with those users that should be able to use "su" to
become root. All other users are being shut out from that possibility:
If they try su:ing to root, and even if they should supply the correct
password, the only response they'll get is the standard "incorrect
password".

Adding this functionality is a matter of adding the line

auth       required     /lib/security/pam_wheel.so

to /etc/pam.d/su and adding those users who should to be able to su to
root to the "wheel" group in /etc/group.

I suggest that the above line be added as default to /etc/pam.d/su, and
thus the wheel group functionality be default in the next release of Red
Hat.
Comment 1 Christian Rose 2000-06-12 16:37:43 EDT
Noticed that /etc/pam.d/su belongs to the sh-utils package, and changed the
component accordingly.
Comment 2 Nalin Dahyabhai 2000-06-12 17:14:11 EDT
We would get numerous complaints about users not being able to "su" to get a
root shell if we did this.  Using pam_wheel is a site-specific decision, but in
cases where the administrator is not aware of its existence, pam_wheel can be
very frustrating.
Comment 3 Pekka Savola 2000-06-12 17:44:51 EDT
Well, IIRC pam gives the same error message for password error, account expired, 
and whatever.  This would no doubt be confusing.

However, if 'su' said something to the effect:
---
su: you are not in the correct group to su root.
---
This would be self-documenting.

A lighter approach might be to change file permissions of 'su' and perhaps other 
similar relevant programs so that only group 'wheel' can even execute them.. No 
complaints about peculiar error messages.
Comment 4 Christian Rose 2000-06-13 05:57:16 EDT
That the upgrade path is difficult is, in my opinion, not a reason not to
include a severe security enhancement. The installation program could during an
upgrade warn about the changed behavior and ask what users (UID>500), taken from
the password file, should be able to switch to the superuser via "su".
I've not met anyone who thought that this wheel group behavior shouldn't be the
default. It would be a huge boost in Red Hat PR to the security-conscious Linux
users and admins.
Comment 5 Christian Rose 2000-06-15 06:44:42 EDT
gerald@esi.ac.at suggested that the line

#auth     required     /lib/security/pam_wheel.so group=wheel use_uid

be put (commented) in /etc/pam.d/su . This way, the default bevavior would be
the same as ever, but it would be easier for those who want wheel group
functionality to enable it.
Personally, I still think that wheel group functionality should be the default,
but this way Red Hat won't have so much trouble with confused users and the
upgrade path, and those who want this will have it easier.
As for the options to the line above, i don't know if the options are the right
(is group=wheel still needed? I think it was resolved in bug 5719), but that
commented line would anyway be a good idea.
Comment 6 Nalin Dahyabhai 2000-06-15 11:41:34 EDT
Adding a commented line to the su configuration file is definitely not a
problem.  I'll make that change today.
Comment 7 Christian Rose 2000-06-20 14:19:30 EDT
chris.ricker@genetics.utah.edu told that the lines in Debian's /etc/pam.d/su
were like this (I added group=wheel to the first line though):

# Uncomment this to force users to be a member of group wheel
# before they can use `su'.
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so group=wheel

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

I think the explainatory lines and examples are nice. Maybe this could be used
in Red Hat's /etc/pam.d/su too?
Comment 8 Brent Nordquist 2000-06-30 09:39:58 EDT
One of the comments above has arguments "group=wheel use_uid" to pam_wheel.so,
but the comment added to the file when closing this bug doesn't.  Just to
double-check:  are those parameters required?
Comment 9 Nalin Dahyabhai 2000-06-30 18:51:14 EDT
The "group=wheel" should not be required.  The logic in pam_wheel defaults to
using the wheel group, and the group with GID=0 if the wheel group does not
exist.  The "use_uid" option checks using the UID of the calling process instead 
of using getlogin(), which I actually think should have been the default.
Comment 10 Christian Rose 2000-07-14 17:46:16 EDT
I've verified this in beta3. Nalin has fixed this and also my suggestion with
some explanatory comments. This is the contents of /etc/pam.d/su in beta3:

#%PAM-1.0
auth	sufficient		/lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth	sufficient		/lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth	required		/lib/security/pam_wheel.so use_uid
auth	required		/lib/security/pam_stack.so service=system-auth
account	required		/lib/security/pam_stack.so service=system-auth
password	required		/lib/security/pam_stack.so service=system-auth
session	required		/lib/security/pam_stack.so service=system-auth
session	optional		/lib/security/pam_xauth.so

Looks good to me. I'm closing this now.

Note You need to log in before you can comment on or make changes to this bug.