From the info page of su in RedHat version 9:


Why GNU `su' does not support the `wheel' group
===============================================

(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to
supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.


I'm no system security expert, but why would you want anyone to gain root access to a system? In FreeBSD and other systems, you have to be a member of the "wheel" group before you can use su to become the root user. If you configure your system properly, the only place that the root user should be able to log on from is the physical console attached to the machine. From this standpoint, the only way to become root over a remote connection would be to elevate your priviledges by using a tool like su.

If by some chance your root password slipped out, and your system uses the GNU version of su, any user who knew the root password could access your system. From a sysadmin's standpoint, I'd feel like it's my or my company's system, not the users. I should be able to determine who can and can't get root access via su. Assuming a networked environment, only the admin should be logging into the physical console of the box as root. Anyone else connecting remotely should only be able to gain root access if they're explicitly allowed to by some system configuration policy.

It sounds to me like he's looking at the administrators as "rulers" who could oppress the users of a system, and having open access to the su mechanism is like a check or balance. It sounds to me like a place where system integrity could be compromised by political ideals...

Anyone have any comments? I may be looking at this in the wrong light, but it seems like the wrong place to inject a social belief.

Its the same mentality. If everyone has the password... then there is no curiosity to destroy. Okay, maybe that worked at MIT, but comeon, nowaways thats just crazy. There are mean evil people out there who have nothing better to do then steal your password, use it to gain information, then buy things with your credit card number, ruin your life, or any other number of bad bad things. Stop living in your little tiny hole under a rock, RMS.

It does kind of sound like a joke though... oppressive rulers of the system in 1984. Maybe the 1984 part is exaggeration... but the whole 'let everyone have the password!' mentality is way out of date.

It's very Stallman-ish. If you knew more about him and the struggles he has been through, you would know why he writes things like this. It isn't that he is against privacy, but his goal in life has become the exchange of information. I read this book about a week ago:
http://www.oreilly.com/openbook/freedom/index.html

It's a very interesting read. It might even help explain to you why people like me support GNU, instead of licences like BSD.

P.S.
Just to be clear with everyone, I do not agree with everything Stallman stands for. He is a very different individual, but on the terms of the GNU, I don't think a better license has been created to date.

Edit: To 3m00:
No, 1984 is not an exaggeration.

It sounds to me like he's looking at the administrators as "rulers" who could oppress the users of a system, and having open access to the su mechanism is like a check or balance.

Sounds like that to me. Like the 2nd amendment, except that this is stupid. :D

I suspect that this RMS rant is pretty old (it probably pre-dates linux .99), but it's shows his roots in academia no doubt. I don't agree with his rant but it is nice that with linux you can choose to impliment a wheel group and are not forced to do so by developers that have hard coded this feature into su. Wanta know how to impliment a wheel group on linux? OK:

edit /etc/pam.d/su

add:

auth required pam_wheel.so


now you have the bsd behavior. Want to let members of the wheel group to su - root without providing a password, you can do that too:

add:

auth sufficient pam_wheel.so trust

want to deny usage of su for members of a specific group, that can be done too

add:

auth required pam_wheel.so deny group=nosu

I find the pam solution far more flexable than the hard coded wheel group feature.

analogy:

just because somebody is my employee does not mean they have the right to possess a key to the building. those that have a legitimate need for a key and have gained the trust of their supervisors may be given such a privilege. however, it is not a right simply because they are an employee (unless you are a company full of hippies).

similarly, just because somebody is a user on my system doesn't mean i owe them the keys to the entire box.

Originally posted by mrbl0nde
analogy:

just because somebody is my employee does not mean they have the right to possess a key to the building. those that have a legitimate need for a key and have gained the trust of their supervisors may be given such a privilege. however, it is not a right simply because they are an employee (unless you are a company full of hippies).

similarly, just because somebody is a user on my system doesn't mean i owe them the keys to the entire box.

That's my point exactly.

Originally posted by stiles
I find the pam solution far more flexable than the hard coded wheel group feature.


I've not given PAM enough of a look. From what I have seen, PAM seems to be a great thing for Linux/*NIX security. Personally, I don't see anything wrong with a hard-coded wheel group. But, I could see how you would need something more flexible to specify groups to administer certain system settings. I mean, why would someone who solely dealt with adminstering http services need to mess with init scripts?

Whatever the situation, I'm all for segregation of priviledges. My whole thing is the exclusion of such a feature because of an idealogical belief.

Stallman won't even go near something that makes him look like a hipocrit(sp?). What he wrote in that manpage was basically why he feels allowing wheel group might make him look like that way. Also, it's true that he probably wrote that many years ago(how old is wheel group?).

Very good post stiles. I don't know about everyone else, but I know I learned something new.

Originally posted by Alex Cavnar, aka alc6379
Personally, I don't see anything wrong with a hard-coded wheel group.

Cause that's the only behavior you can use and you are required to use that hard coded behavior regardless of your application. Like I said the PAM solution is far more flexable, you can choose not to impliment a wheel group (for a workstation maybe), you can have the exact same behavior that bsd su hard codes, you can modify the wheel group behavior and not require a password for members of the wheel group and you can totally deny access to su to a specific group. You can even require root to provide a password to su to another account via the pam_rootok.so PAM if you wanted to.

Originally posted by Alex Cavnar, aka alc6379
But, I could see how you would need something more flexible to specify groups to administer certain system settings. I mean, why would someone who solely dealt with adminstering http services need to mess with init scripts?

To start the httpd daemon (and other required process if they run on that sever)? :D I think you are starting to get into rule set based access control and mandatory access control types of concepts with the idea of seperating specific rootly privs which greatlly increase the complexity of the system. Now if the init script thing is about bsd init is easy cause you don't have to write a script (which is true), the flip side to that is that bsd init introduces a single point of failure in the init system by simplifying the init system.

Originally posted by Alex Cavnar, aka alc6379
My whole thing is the exclusion of such a feature because of an idealogical belief.

I agree, but the irony of the situation is that the refusal of adding a hard coded feature somewhat gave a push to adopt a technology that is far more flexable and better for both admins and users if used correctlly.

Giving users the su command is more like giving them the lock, don't you think? Unless the user has the root password, he still can't do anything until you tell him that password.

Originally posted by roamingnomad
Giving users the su command is more like giving them the lock, don't you think? Unless the user has the root password, he still can't do anything until you tell him that password.

Well, assuming users don't share accounts, if I have the ABILITY to su, my friend could give me the root password which they obtained through proper channels and I would have complete control. On the other hand... if only users in the root wheel can su and I can't control anything without using my friend's logon, which hopefully (if workstations were setup right) would raise alarms if I used, then everything would be safe.

roamingnomad,

The assumption here is that anyone in question who would su to gain root access already does have the root password.

As far as RMS goes- yeah, he's a pretty strange bird (and more than a bit evangelical to boot) but I've got no problem whatsoever with what he's done to
promote open-source/free software (http://www.fsf.org/fsf/fsf.html). If you want a stranger bird than RMS, check out some of ESR's thoughts and writings- be afraid, be very afraid...

Not entirely sure if this has been said yet or not (shame on me, I should really read the whole thread instead of skimming... ;)), but RMS is from a very academic world. In academia, this kind of idea is perfectly acceptable -- especially among the Real Hackers that started the Internet, and the culture surrounding them. It's a freedom of information thing partly, but it's also a "who cares, just let stuff happen on these systems, we trust everybody using them anyway" type of thing.

I don't believe that what he said should ever be taken seriously outside of the academic world, in other words.

Originally posted by bwkaz

I don't believe that what he said should ever be taken seriously outside of the academic world, in other words.

The problem is, though, is that his words were taken out of the academic world. Unless someone implements an approach like stiles suggested, any user would have access to su, thus being able to become the super user.

In an academic environment, yes, most everyone using the machine is competant and well-meaning. But, in the Real World(TM), everyone on your system isn't the same way. There are always the stories of disgruntled employees or stupid crackers trying to cause harm to your systems, systems that may be providing a big income source to your organization. With all of the virii and script kiddie tools available, and the uncountable unpatched security holes, I just feel that not having some type of access control to su, be it simple group file permissions, a "wheel" group, or a PAM implementation, just gives the Bad Guys yet another way to compromise a system.