2002-10-14 11:39, Werner Puschitz write: > This is clearly a bug. pam_wheel should not restrict su-ing to non-root > accounts. I see the same behaviour on my system. > > Werner > > On Sun, 13 Oct 2002, KhoGuan PhuaN wrote: > > The security policy enforced by pam_wheel.so module is to grant > > privilege of su'ing to `both root and non-root' only to people > > in a privileged group(default wheel group, if not found, group with > > gid=0). I think it's overkilling. The reasoning is as follows: > > > > 1. It should do just what it claims to do: "only permit root > > authentication to members of wheel group", but no more. That is, > > leave non-root authentication alone. > > > > 2. Even if it's desirable to restrict su'ing to non-root, and to > > incorporate this function into pam_wheel, it should be implemented > > in a different level, perhaps by designing different arguments for > > pam_wheel. Su'ing to root has much more security concern than su'ing > > to general users. And the latter would be very convenient for two > > users who trust each other and share each other's passwords. The > > admin should not deprive their humble wishes of doing that. It's not > > related to the wheel group membership. The policy is UNFAIR that they > > are not allowed to su to each other just because they are not members > > of the wheel group, which has only to do with system maintenance they > > would never be interested in. > > > > Yet another concern comes to me: what about su'ing to wheel members by > > non-wheel members. Should it be implemented in yet another different > > pam_wheel argument. Maybe it's good, maybe it's overkilling on the other > > end. > > > > Should I file a `bug' report? Or do I over-sympathize with the dummy > > users who are always messing things up. Any suggestion and correction > > would be highly appreciated. > > > > --KhoGuan Phuann Werner and Jenn, Thanks for your confirmation, I just submitted a bug report #623227 to the PAM project on sourceforge.net. Best regards, Khoguan _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list
