Well, Neil sets it straight again, nicely done :)
My make wheel & grunt advice is tongue-in-cheek, but I think you'll
find that this stuff does have to do with [security] hardening, so
even though many recent distros include it, it prolly hasn't gotten
into debian yet (or is in some meta-package). I don't know which, for
Etch.
ben
On 4/3/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
1) My system allows everyone to become root. It's Debian Etch, btw.
2) The man page doesn't say anything about syntax... already checked.
3) Thanks, I'll use sudo -l.
On 4/3/07, Neil Parker <[EMAIL PROTECTED]> wrote:
> Ben Barrett wrote,
> >IIRC, wheel was intended to match the GID on su, so that non-group
> >members cannot even become root, a hardening tactic that goes along
> >with disallowing any direct root logins.
> >
> >Why not make wheel? You'll feel so evolved; groupadd wheel and grunt
> >with glee ;)
> >(then again, what good is wheel if you don't use it?)
>
> Problem: Not all systems treat the wheel group as special. I believe GNU
> su allows anybody to try to become root regardless of membership in wheel.
>
> If your system has a /etc/login.defs file, it might contain an option
> SU_WHEEL_ONLY that controls whether or not "su root" is restricted to
> members of wheel.
>
> Also beware: The privileged group, if your system supports it, might not
> be called "wheel". The name actually doesn't matter--what matters is
> whether the group ID number is 0. You might find that your group 0 is
> called "root", or maybe some other name entirely. ("grep :0: /etc/group"
> will tell you the magic name.)
>
> I recommend NOT doing "groupadd wheel". If you don't already have a group
> called "wheel", that will give you one, but its group ID won't be 0, and it
> will (confusingly) have no special privileges.
>
> If your system already has a group with ID 0, you don't need a new one.
> If you don't already have such a group, it was probably left out for a
> reason, and again you probably don't need to add one.
>
>
>
> Getting back to the original subject, "man sudo" says that "sudo -l" will
> tell you what commands /etc/sudoers allows or forbids you to use. This
> will probably be quite useful for debugging your edits of /etc/sudoers.
>
> - Neil Parker
> _______________________________________________
> EUGLUG mailing list
> [email protected]
> http://www.euglug.org/mailman/listinfo/euglug
>
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
