On Sun, Sep 17, 2000 at 03:33:03AM +0200, Christian Pernegger wrote: > Hi all! > > I'm playing with customizing PAM at the moment and want > to restrict the use of 'su' to members of group 'root' > by enabling the feature in /etc/pam.d/su. > > However, when I try to > > adduser myuser root > > it says group 'root' doesn't exist. (I checked in /etc/groups > and /etc/gshadow, just to be sure - they're there allright.) adduser can't distinguish group root from user root, its a bug. i would recommend against using group root for this purpose, instead add a new group `wheel' and use that. linux system are simply not setup for gid=0 to have members. just look in /dev for all the crap writable by group root. on BSD systems group wheel membership gives you no extra acess on the filesystem (except for read access to a couple logs and config files, thats it, no write) unless you want to constantly chase permissions around use a seperate wheel group instead. for pam add this line to the top of your /etc/pam.d/su file: auth requisite pam_wheel.so group=wheel debug this works very well for me. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpph487cPypc.pgp
Description: PGP signature