Re: What groups does a desktop power-user need to belong to?
On Wednesday 10 Aug 2011, Robert Isaac wrote:
> On Mon, Aug 8, 2011 at 11:05 AM, A J Stiles <email@example.com> wrote:
> > The idea is, by cunning use of groups, never to have to give out the root
> > password in the first place.
> I understand that, however _all_ users can gain root with gnu su,
> effectively defeating the purpose of groups if you don't configure
> pam_wheel beyond its default.
Not _all_ users -- only the ones who have the root password. Which you simply
don't give to ordinary users. If someone needs to write a CD, you need only
make them a member of the group "cdrom" which has write permission on the CD
writer device. If they need to print, you make them a member of group "lp".
If someone really needs to use a few commands that really are root-only but it
is not desirable for them to have full root privileges, they should be using
sudo limited only to those commands.
Anyway, "wheel" is no magic bullet. Even on a system which supports it, what
is there to stop a user who has the root password and physical access but
isn't a member of the group "wheel", from logging in directly as root from
delta echo bravo six four at earthshod dot co dot uk