On Sat, Jun 17, 2000 at 10:32:01PM +0200, Sven Burgener wrote: > Hello all > > Is it "wise" to put a (power-)user into the root-group? I do not think it is, (though it should be IMO) there are a few reasons: gid 0 (root on linux) is usually only used as the `wheel' group, under BSD you add users to the wheel group who are permitted to su to root. group wheel membership makes almost NO changes to what the user has permissions to. there are a couple files here and there that gid=wheel members have *read* permission to (config files mostly) that i see on my OpenBSD system, but otherwise being a member of group wheel does nothing more for me then let me su to root. now under linux gid=root is not intended to be used this way because su does not enforce the so called wheel group. thus the permissions on the filesystem do not appear to be appropriate for this use. i have found several packages in debian in the past (some may or may not be fixed now) that install files writable to group=root. this violates debian policy. also i have found 22 nodes in /dev that are read/writable by group root but not accessable at all by normal users. rather then spam the list you can run the following command to see for yourself: find /dev -group root \( -perm +0040 -o -perm +0020 \) ! -type l ! -perm +0007 -ls i don't know for sure what all these nodes are for but many of them i don't like the idea of having read/write access full time under my normal user account. part of the purpose for running as a non-root user is to minimize the damage a bogus/trojan program can do if it is somehow run. instead of trying to remake GNU/Linux into BSD in regards to gid 0 i instead create a real group wheel (gid 100something) and use that to enforce the wheel group with pam_wheel, i also chgrp some config files that i want readable to wheel members but not everyone. this is safer and is the path of least resistence. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpShe2nfHZaP.pgp
Description: PGP signature