I think that wheel group functionality is one security related thing that could be enabled by default in the next release of Red Hat. The "wheel" group thing is relly easy to add in Red Hat after installation thanks to PAM, but it always annoys me that I have to manually enable it, and that it is turned off by default. The "wheel group" functionality is a default one in FreeBSD. The "wheel" group is a group with those users that should be able to use "su" to become root. All other users are being shut out from that possibility: If they try su:ing to root, and even if they should supply the correct password, the only response they'll get is the standard "incorrect password". Adding this functionality is a matter of adding the line auth required /lib/security/pam_wheel.so to /etc/pam.d/su and adding those users who should to be able to su to root to the "wheel" group in /etc/group. I suggest that the above line be added as default to /etc/pam.d/su, and thus the wheel group functionality be default in the next release of Red Hat.
Noticed that /etc/pam.d/su belongs to the sh-utils package, and changed the component accordingly.
We would get numerous complaints about users not being able to "su" to get a root shell if we did this. Using pam_wheel is a site-specific decision, but in cases where the administrator is not aware of its existence, pam_wheel can be very frustrating.
Well, IIRC pam gives the same error message for password error, account expired, and whatever. This would no doubt be confusing. However, if 'su' said something to the effect: --- su: you are not in the correct group to su root. --- This would be self-documenting. A lighter approach might be to change file permissions of 'su' and perhaps other similar relevant programs so that only group 'wheel' can even execute them.. No complaints about peculiar error messages.
That the upgrade path is difficult is, in my opinion, not a reason not to include a severe security enhancement. The installation program could during an upgrade warn about the changed behavior and ask what users (UID>500), taken from the password file, should be able to switch to the superuser via "su". I've not met anyone who thought that this wheel group behavior shouldn't be the default. It would be a huge boost in Red Hat PR to the security-conscious Linux users and admins.
gerald.at suggested that the line #auth required /lib/security/pam_wheel.so group=wheel use_uid be put (commented) in /etc/pam.d/su . This way, the default bevavior would be the same as ever, but it would be easier for those who want wheel group functionality to enable it. Personally, I still think that wheel group functionality should be the default, but this way Red Hat won't have so much trouble with confused users and the upgrade path, and those who want this will have it easier. As for the options to the line above, i don't know if the options are the right (is group=wheel still needed? I think it was resolved in bug 5719), but that commented line would anyway be a good idea.
Adding a commented line to the su configuration file is definitely not a problem. I'll make that change today.
chris.ricker.edu told that the lines in Debian's /etc/pam.d/su were like this (I added group=wheel to the first line though): # Uncomment this to force users to be a member of group wheel # before they can use `su'. # (Replaces the `SU_WHEEL_ONLY' option from login.defs) # auth required pam_wheel.so group=wheel # Uncomment this if you want wheel members to be able to # su without a password. # auth sufficient pam_wheel.so trust # Uncomment this if you want members of a specific group to not # be allowed to use su at all. # auth required pam_wheel.so deny group=nosu I think the explainatory lines and examples are nice. Maybe this could be used in Red Hat's /etc/pam.d/su too?
One of the comments above has arguments "group=wheel use_uid" to pam_wheel.so, but the comment added to the file when closing this bug doesn't. Just to double-check: are those parameters required?
The "group=wheel" should not be required. The logic in pam_wheel defaults to using the wheel group, and the group with GID=0 if the wheel group does not exist. The "use_uid" option checks using the UID of the calling process instead of using getlogin(), which I actually think should have been the default.
I've verified this in beta3. Nalin has fixed this and also my suggestion with some explanatory comments. This is the contents of /etc/pam.d/su in beta3: #%PAM-1.0 auth sufficient /lib/security/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/pam_wheel.so use_uid auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_xauth.so Looks good to me. I'm closing this now.