Re: What groups does a desktop power-user need to belong to?

[A J Stiles <deb64@earthshod.co.uk>]

On Wednesday 10 Aug 2011, Robert Isaac wrote:
> On Mon, Aug 8, 2011 at 11:05 AM, A J Stiles <deb64@earthshod.co.uk> wrote:
> > The idea is, by cunning use of groups, never to have to give out the root
> > password in the first place.
> I understand that, however _all_ users can gain root with gnu su,
> effectively defeating the purpose of groups if you don't configure
> pam_wheel beyond its default.

Not _all_ users -- only the ones who have the root password.  Which you simply 
don't give to ordinary users.  If someone needs to write a CD, you need only 
make them a member of the group "cdrom" which has write permission on the CD 
writer device.  If they need to print, you make them a member of group "lp".

If someone really needs to use a few commands that really are root-only but it 
is not desirable for them to have full root privileges, they should be using 
sudo limited only to those commands.

Anyway, "wheel" is no magic bullet.  Even on a system which supports it, what 
is there to stop a user who has the root password and physical access but 
isn't a member of the group "wheel", from logging in directly as root from 
the console?

-- 
AJS
delta echo bravo six four at earthshod dot co dot uk