On 03/01/2010 01:14 PM, Florian Pritz wrote: > On 03/01/2010 07:58 PM, David C. Rankin wrote: >> As the comment says, the entry causes pam to implicitly trust members of the >> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a >> time-saver. > > PAM itself should be pretty secure, but what you are trying to achieve > isn't. There is a reason behind that password prompt. You don't want > anyone who gains access to your account (daemons, scripts, ...) to have > root access right away without ever asking for a password. If you don't > want to type yours that often use sudo -s. > Ed, Florian, Thank you for your insight. I guess I should have also included the fact that the box in question sits in my home-office and physical security isn't an issue. Also, there is only one member of the wheel group -- me. Thinking through the threat scenario, as long as pam is doing its job and only allowing members of the wheel group to su without a password, that limits vulnerability to (1) a pam exploit or (2) privilege escalation by a user to become a member of the wheel group. I see it as pretty minimal, but I guess a good compromise is to revert to a password when then machine goes online, but to enjoy the convenience while I'm setting the box up while it doesn't have any access from the outside. It worries me to think about the possible security implications, but the lazy side of me sure does like the convenience :p -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
