Bug 12161 - wheel group functionality
Summary: wheel group functionality
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: sh-utils (Show other bugs)
(Show other bugs)
Version: 7.1
Hardware: noarch Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2000-06-12 20:29 UTC by Christian Rose
Modified: 2008-05-01 15:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-06-30 22:51:16 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Christian Rose 2000-06-12 20:29:14 UTC
I think that wheel group functionality is one security related thing that
could be enabled by default in the next release of Red Hat. The "wheel"
group thing is relly easy to add in Red Hat after installation thanks to
PAM, but it always annoys me that I have to manually enable it, and that it
is turned off by default.

The "wheel group" functionality is a default one in FreeBSD. The "wheel"
group is a group with those users that should be able to use "su" to
become root. All other users are being shut out from that possibility:
If they try su:ing to root, and even if they should supply the correct
password, the only response they'll get is the standard "incorrect

Adding this functionality is a matter of adding the line

auth       required     /lib/security/pam_wheel.so

to /etc/pam.d/su and adding those users who should to be able to su to
root to the "wheel" group in /etc/group.

I suggest that the above line be added as default to /etc/pam.d/su, and
thus the wheel group functionality be default in the next release of Red

Comment 1 Christian Rose 2000-06-12 20:37:43 UTC
Noticed that /etc/pam.d/su belongs to the sh-utils package, and changed the
component accordingly.

Comment 2 Nalin Dahyabhai 2000-06-12 21:14:11 UTC
We would get numerous complaints about users not being able to "su" to get a
root shell if we did this.  Using pam_wheel is a site-specific decision, but in
cases where the administrator is not aware of its existence, pam_wheel can be
very frustrating.

Comment 3 Pekka Savola 2000-06-12 21:44:51 UTC
Well, IIRC pam gives the same error message for password error, account expired, 
and whatever.  This would no doubt be confusing.

However, if 'su' said something to the effect:
su: you are not in the correct group to su root.
This would be self-documenting.

A lighter approach might be to change file permissions of 'su' and perhaps other 
similar relevant programs so that only group 'wheel' can even execute them.. No 
complaints about peculiar error messages.

Comment 4 Christian Rose 2000-06-13 09:57:16 UTC
That the upgrade path is difficult is, in my opinion, not a reason not to
include a severe security enhancement. The installation program could during an
upgrade warn about the changed behavior and ask what users (UID>500), taken from
the password file, should be able to switch to the superuser via "su".
I've not met anyone who thought that this wheel group behavior shouldn't be the
default. It would be a huge boost in Red Hat PR to the security-conscious Linux
users and admins.

Comment 5 Christian Rose 2000-06-15 10:44:42 UTC
gerald@esi.ac.at suggested that the line

#auth     required     /lib/security/pam_wheel.so group=wheel use_uid

be put (commented) in /etc/pam.d/su . This way, the default bevavior would be
the same as ever, but it would be easier for those who want wheel group
functionality to enable it.
Personally, I still think that wheel group functionality should be the default,
but this way Red Hat won't have so much trouble with confused users and the
upgrade path, and those who want this will have it easier.
As for the options to the line above, i don't know if the options are the right
(is group=wheel still needed? I think it was resolved in bug 5719), but that
commented line would anyway be a good idea.

Comment 6 Nalin Dahyabhai 2000-06-15 15:41:34 UTC
Adding a commented line to the su configuration file is definitely not a
problem.  I'll make that change today.

Comment 7 Christian Rose 2000-06-20 18:19:30 UTC
chris.ricker@genetics.utah.edu told that the lines in Debian's /etc/pam.d/su
were like this (I added group=wheel to the first line though):

# Uncomment this to force users to be a member of group wheel
# before they can use `su'.
# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
# auth       required   pam_wheel.so group=wheel

# Uncomment this if you want wheel members to be able to
# su without a password.
# auth       sufficient pam_wheel.so trust

# Uncomment this if you want members of a specific group to not
# be allowed to use su at all.
# auth       required   pam_wheel.so deny group=nosu

I think the explainatory lines and examples are nice. Maybe this could be used
in Red Hat's /etc/pam.d/su too?

Comment 8 Brent Nordquist 2000-06-30 13:39:58 UTC
One of the comments above has arguments "group=wheel use_uid" to pam_wheel.so,
but the comment added to the file when closing this bug doesn't.  Just to
double-check:  are those parameters required?

Comment 9 Nalin Dahyabhai 2000-06-30 22:51:14 UTC
The "group=wheel" should not be required.  The logic in pam_wheel defaults to
using the wheel group, and the group with GID=0 if the wheel group does not
exist.  The "use_uid" option checks using the UID of the calling process instead 
of using getlogin(), which I actually think should have been the default.

Comment 10 Christian Rose 2000-07-14 21:46:16 UTC
I've verified this in beta3. Nalin has fixed this and also my suggestion with
some explanatory comments. This is the contents of /etc/pam.d/su in beta3:

auth	sufficient		/lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth	sufficient		/lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth	required		/lib/security/pam_wheel.so use_uid
auth	required		/lib/security/pam_stack.so service=system-auth
account	required		/lib/security/pam_stack.so service=system-auth
password	required		/lib/security/pam_stack.so service=system-auth
session	required		/lib/security/pam_stack.so service=system-auth
session	optional		/lib/security/pam_xauth.so

Looks good to me. I'm closing this now.

Note You need to log in before you can comment on or make changes to this bug.