Re: Uninstallable Packages
On Thu, 7 Oct 1999, Roland Rosenfeld wrote:
> On Thu, 07 Oct 1999, Kurt D. Starsinic wrote:
> > secure-su is also uninstallable.
> As far as I can see, secure-su is no longer available in potato. It
> is replaced by the login package (including /bin/su) which is now
> linked with PAM and this behaves like the secure-su if you activate
> the line
> auth required pam_wheel.so
> in /etc/pam.d/su.
Alas, the pam_wheel module is not nearly as flexible as secure-su is. So,
I would argue there is no real replacement for secure-su.
- pam_wheel lets you specify which users are allowed to su to root and
whether they need a password to do this or not.
- secure-su lets you specify which users are allowed to su to which other
users and which of those users needs a password to do this. Take a look
at suauth(5) (in the secure-su package). root is always allowed to su to
another user without a password.
I have had a setup where the user 'news' has no valid password, yet there
was one user (the news administrator) that could su to news without typing
a password. No need to remember yet another password, no need to su to
root first. With the latest potato packages, this is no longer possible
(if it is, please tell me so).
rd1936: 12:15am up 16 days, 4:05, 8 users, load average: 4.81, 4.68, 4.00