This is clearly a bug. pam_wheel should not restrict su-ing to non-root accounts. I see the same behaviour on my system. Werner On Sun, 13 Oct 2002, KhoGuan PhuaN wrote: > > The security policy enforced by pam_wheel.so module is to grant > privilege of su'ing to `both root and non-root' only to people > in a privileged group(default wheel group, if not found, group with > gid=0). I think it's overkilling. The reasoning is as follows: > > 1. It should do just what it claims to do: "only permit root > authentication to members of wheel group", but no more. That is, > leave non-root authentication alone. > > 2. Even if it's desirable to restrict su'ing to non-root, and to > incorporate this function into pam_wheel, it should be implemented > in a different level, perhaps by designing different arguments for > pam_wheel. Su'ing to root has much more security concern than su'ing > to general users. And the latter would be very convenient for two > users who trust each other and share each other's passwords. The > admin should not deprive their humble wishes of doing that. It's not > related to the wheel group membership. The policy is UNFAIR that they > are not allowed to su to each other just because they are not members > of the wheel group, which has only to do with system maintenance they > would never be interested in. > > Yet another concern comes to me: what about su'ing to wheel members by > non-wheel members. Should it be implemented in yet another different > pam_wheel argument. Maybe it's good, maybe it's overkilling on the other > end. > > Should I file a `bug' report? Or do I over-sympathize with the dummy > users who are always messing things up. Any suggestion and correction > would be highly appreciated. > > --KhoGuan Phuann > > > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list > _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
