[blfs-dev] Regarding adding wheel group

DJ Lucas dj at linuxfromscratch.org
Sat Nov 24 06:50:10 PST 2018


On November 24, 2018 6:57:36 AM CST, spiky0011 via blfs-dev <blfs-dev at lists.linuxfromscratch.org> wrote:
>I see some changes have been made regarding Systemd and wheel group, 
>Shouldn't there be an entry
>
>in LFS /etc/group file. I see that it mentioned in BLFS "About system 
>users and groups"
>
>-- 
>http://lists.linuxfromscratch.org/listinfo/blfs-dev
>FAQ: http://www.linuxfromscratch.org/blfs/faq.html
>Unsubscribe: See the above information page
>
>
>-- 
>This message has been scanned for viruses and dangerous content by 
>E.F.A. Project, and is believed to be clean.
>
>Click here to report this message as spam.
>https://efa.lucasit.com/cgi-bin/learn-msg.cgi?id=A95F7602BC.A8518&token=9f03f3306ef52672eb2b7050f621c4b3

Yes, thank you. There is one change required in LFS (wheel 97). Linux-PAM will get a change for pam_wheel in su. I was undecided how to present the topic, but have since decided while composing this message (see below if interested). The sudo page will get the %wheel configuration entry by default regardless of pam_wheel above.

<LooselyRelatedRambling>
Initially 'account sufficient pam_wheel.so trust use_uid' seems like a neat *commented* example for su (with also auth required but only the auth restriction by default). If the account line is uncommented, users of the wheel group would not be required to know the root password to su, but the auth line restricts the command to members of the wheel group (this will be default).

The pam_wheel module can also be used to *grant* perms elsewhere in combination with setuid binaries (possibly for ACLs too??). Restricting certain commands makes sense, but I'm not sure it should be default...for instance, I had briefly considered chage (and it's descendants), but think I'm only going to provide the su example in the book (consistent with other distros defaults). It is not inconceivable, however, to set the coreutils binaries setuid root, with above parameters in the individual configs and forgo sudo completely. An odd corner case, for sure, and one that is likely to be error prone, but doable none the less.

The pam_wheel check would be...odd (?) for the sudo PAM config (sudo does this on its own).
</LooselyRelatedRambling>

--DJ

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.



More information about the blfs-dev mailing list