GNU su (was Re: Preventing SU Root)

GNU su (was Re: Preventing SU Root)

Post by Andrew Philip Fabb » Fri, 01 Mar 1996 04:00:00



Quoth Magnus Ahltorp:
: This su does not allow the system admnistrator to keep a 'wheel' group,
: because the author(s) thinks it is not nice to the users if they manage to
: get hold of the root password. Don't ask me why.
                                 ^^^^^^^^^^^^^^^^

The answer is on the man page (excerpts appended).  After reading this, it
sounds like RMS had a bad experience with the wheel group and swore off
it.  But is his problem really widespread?  How many systems really have
"masses" needed to su root to "thwart the coup" of "rulers?"

I have a great deal of respect for RMS/FSF/the GNU ideal, but would be
interested to hear others' comments on this.

        <snip>
       This  program  does  not  support  a  "wheel  group"  that
       restricts  who can su to super-user accounts, because that
       can help fascist system  administrators  hold  unwarranted
       power over other users.

        <snip>
       Why GNU su does not support the wheel group (by Richard Stallman)
       Sometimes a few of the users try to hold total power  over
       all  the  rest.   For example, in 1984, a few users at the
       MIT AI lab decided to seize power by changing the operator
       password  on  the Twenex system and keeping it secret from
       everyone else.  (I was able to thwart this coup  and  give
       power  back  to  the  users  by patching the kernel, but I
       wouldn't know how to do that in Unix.)

       However, occasionally the rulers do tell  someone.   Under
       the usual su mechanism, once someone learns the root pass-
       word who sympathizes with the ordinary users, he can  tell
       the  rest.   The  "wheel  group"  feature  would make this
       impossible, and thus cement the power of the rulers.

       I'm on the side of the masses, not that of the rulers.  If
       you  are  used  to  supporting the bosses and sysadmins in
       whatever they do, you might  find  this  idea  strange  at
       first.

Andrew Fabbro                       | "In Hong Kong, things are so
ITD Marketing Research              |  simple.  Here, there are too


 
 
 

1. differences between su root and su - root

Hey there.  I have a problem.  I have a user who needs to ftp off my
non-ftp server using a tunnel through the firewall.  If the user tries
to ftp, they get the following:

422 [people2]ediprod:/gentran/prod> ftp nnn.nnn.nnn.nnn
Connected to nnn.nnn.nnn.nnn.
220 ieftp5 IE-FTP server (v4r1m0.e) ready on system USA.

(It hangs up with no logon prompt)

If I do a su root, I get the same thing:

246 [people2]ediprod:/gentran/prod> ftp nnn.nnn.nnn.nnn
Connected to nnn.nnn.nnn.nnn.
220 ieftp5 IE-FTP server (v4r1m0.e) ready on system USA.

(It hangs up with no logon prompt)

But, if I use su - root, I get a successful connection:

people2:/)ftp nnn.nnn.nnn.nnn
Connected to nnn.nnn.nnn.nnn.
220 ieftp5 IE-FTP server (v4r1m0.e) ready on system USA.
Name (nnn.nnn.nnn.nnn:xxxxxxx):

I did a path and env on both the su and the - su and the only
difference that I can see is this line:

su - root : AUTHSTATE=files
su root   : AUTHSTATE=compat

However, even if I change the AUTHSTATE in the su root with the
command
 people2:/)export AUTHSTATE=files , it still does not work.

Can anyone tell me what I am missing here and help be resolve this
issue so my user will be a happy camper??

thanks in advance, and have a great new year.

clark 'the dragon' willis

2. New Linux user with $3000 to spend... Recommendations?

3. su root: You do not have permission to su root ?

4. XP Kernel

5. Solution: differences between su root and su - root

6. Point to last parameter in BASH command line?

7. su to a user then su to root in startup script

8. POSTSCRIP: simple question!

9. su problem -- su: Unknown id: root

10. Could su but says BAD SU from normal user to root

11. Cannot su, or su - to anything ~ including root

12. Prevent SU to root ????

13. Prevent root to do su to other user