tech-userlevel: Re: su(1) group wheel restriction

Subject: Re: su(1) group wheel restriction
To: Chad Mynhier <mynhier@cs.utk.edu>
From: Greg Hudson <ghudson@MIT.EDU>
List: tech-userlevel
Date: 01/09/1997 10:30:34

> What is the difference between adding a user to /etc/su.conf and
> adding the user to the wheel group? It seems that the only real
> difference between the two is the ability to put '*' in
> /etc/su.conf.
Precisely. The only reason to retain the meaning of group wheel at
all, in this scheme, would be for backward compatibility.
> This may be a naive question, but is the root password known by so
> many people at your site that it's easier to let anyone su than to
> add specific people to the wheel group?
There are a bunch, but it's more a combination of:
	* No other operating system we use has the restriction; that
	 is, we are used to restricting root access based on "what
	 you know" rather than by both "what you know" and "who you
	 are".
	* There are other, more laborious ways for these people to get
	 root access to the machines in question.
	* The multi-user security of a given workstation is less
	 important in our environment, so the tradeoff favors the
	 "weaker security" of disabling the group wheel restriction.