On Wednesday 10 Aug 2011, Robert Isaac wrote: > On Mon, Aug 8, 2011 at 11:05 AM, A J Stiles <de...@earthshod.co.uk> wrote: > > The idea is, by cunning use of groups, never to have to give out the root > > password in the first place. > I understand that, however _all_ users can gain root with gnu su, > effectively defeating the purpose of groups if you don't configure > pam_wheel beyond its default.
Not _all_ users -- only the ones who have the root password. Which you simply don't give to ordinary users. If someone needs to write a CD, you need only make them a member of the group "cdrom" which has write permission on the CD writer device. If they need to print, you make them a member of group "lp". If someone really needs to use a few commands that really are root-only but it is not desirable for them to have full root privileges, they should be using sudo limited only to those commands. Anyway, "wheel" is no magic bullet. Even on a system which supports it, what is there to stop a user who has the root password and physical access but isn't a member of the group "wheel", from logging in directly as root from the console? -- AJS delta echo bravo six four at earthshod dot co dot uk -- To UNSUBSCRIBE, email to debian-amd64-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201108110916.08800.de...@earthshod.co.uk