[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

History ...: [RFC] disabled root account / distinct group for users with administrative privileges

Hi,

Let's not reinvent the "wheel" :-)

(Let's use old "wheel" group in line with current documentations.)

On Sat, Oct 23, 2010 at 09:44:41PM +0200, Arthur de Jong wrote:
> On Thu, 2010-10-21 at 16:48 +0100, Philip Hands wrote:
> > If we decide to reject 'admin', I think we should use sudo.  I find the
> > argument that admin is confusing given the presence of adm fairly
> > convincing -- It's all too easy to say something like "could you add
> > fred to the adm group" over the phone and pronounce 'adm' as 'admin'.

Very true.
 
> > Sadly, we are not the first to make this decision though, and having
> > admin on Ubuntu and sudo on Debian would be a pain for people that have
> > mixed sites, or even for admins that just have access to some of each.
> 
> The admin group is already used in update-notifier though (#502392) and
> perhaps also other software coming from Ubuntu.

If we talk about previous practices, the use of "wheel" predates "admin"
to describe group for users with administrative privileges.  This fact
can be seen many current core packages although they are mostly in
documentation only, thanks to RMS.  Let me list few references.

Most notable on is still in our current squeeze "info su" as:

| 23.6.1 Why GNU `su' does not support the `wheel' group
| ------------------------------------------------------
| 
| (This section is by Richard Stallman.)
| ...

Since we use PAM version of su in Debian, this is not true.  But it
clearly states "wheel" group is intended for such use.  

The current su can be configured to support the "wheel" group now as
described in /etc/pam.d/su despite RMS's wish.

| # Uncomment this to force users to be a member of group root
| # before they can use `su'. You can also add "group=foo"
| # to the end of this line if you want to use a group other
| # than the default "root" (but this may have side effect of
| # denying "root" user, unless she's a member of "foo" or explicitly
| # permitted earlier by e.g. "sufficient pam_rootok.so").
| # (Replaces the `SU_WHEEL_ONLY' option from login.defs)
| # auth       required   pam_wheel.so
 
Here, the use of "root" group is implied.  It could be made to use the "wheel"
group as long as root is also its member.  Odd old history of GNU by RMS
here.

In the current sudoers(5) manpage, the use of "wheel" group is also implied
for as such root access group in its example.

|   The User specification is the part that actually determines who may run
|   what.
|    root           ALL = (ALL) ALL
|    %wheel         ALL = (ALL) ALL
|   We let root and any user in group wheel run any command on any host as
|   any user.

As I see in http://en.wikipedia.org/wiki/Wheel_(Unix_term) , the "wheel"
group seems most traditional name for such administrative privileges
from pre-Unix days.  (I thought wheel  was from BSD thing but these are
much older.)

So let us not to reinvent a new group name.  Let's use old "wheel" group.

Whatever we choose, it may be good idea to have some consistency across
our system and documentation.

Osamu
Reply to: