Re: The use of the auth-group (and auth-user) ?

On May 29, 8:15 pm, b...@xxxxxxx (Bill Vermillion) wrote:
In article <1180457964.496188.169...@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,

ThreeStar <s...@xxxxxxxxxxxxxxxxx> wrote:
On May 29, 7:50 am, Koppe <kopp...@xxxxxxxxx> wrote:
On May 29, 5:35 am, b...@xxxxxxx (Bill Vermillion) wrote:

[lots deleted - wjv]



I still would like to know more about the auth-group (and
auth-user?), and if SCO has a more reasonable division of
directories and files into groups and perhaps users.
Btw, I've seen some listings of files in SCO; is there a reason
why some executables are root:bin and others bin:bin? With
binaries without the SUID bit, what is the difference?
-Koppe
You're being a bit obscure about your purpose, which makes it hard to
provide an answer.
User and group "auth" are merely used to mark ownership and
permissions of SCO's authentication subsystem. For more
information see the man page for "tcbck." The kernel consults
the authentication database to control user access to, as you
say, "what they actually need." See, generally, the man page for
"usermod." Effectively it's an early ACL system.
There is no SCO analog to the Linux "wheel" group. <Soap box> SCO got
that one right. Making execution rights depend upon a group name is a
violation of database normal design. </Soap box>

It's BSD that has the 'wheel' group. And the groups in *BSD are
quite different than those in Unix or Linux. The group 'wheel'
in the *BSDs is just another name for 'root' as there is NO 'root'
group. The real difference is that a user has to be in the 'wheel'
group to be able to 'su' to root. It's supposed to be more secure
that way.

However I have had some design problems with the way it is
implemented, as there are holes in the concept from my POV.
It's basically nothing more than a two-password way of getting
root privledges - but when I've questioned it no one I've received
no good reasons why it isn't more secure.

At it is installed 'wheel' is just the name of
the group that 'root' is in, and there are no other users
in 'wheel' except group when you install it. If you change the
name of group 0 in /etc/groups to wheel it will look the same as
in *BSD. And if you remove group 0, any user can su to root.

SCO has an "asroot" facility, which see. Asroot can be used somewhat
like "sudo" to run various commands as root. It works, of course,
through the authentication subsystem.

Which is lot better than letting a user su to root as you can
restrict their privledges.

As a correction, the daemons aren't launched by the OS. They're
launched by scripts. Although it's arguably a Linux & SCO weakness
that all these scripts are launched by the init process in the "root"
context, they can and some do downgrade themselves by running "su". As
a simple example, the telnet or ssh daemons run as root. But when a
particular user logs in, that instance downgrades to that user's
rights.
SUID isn't that widespread on most systems. For example, the "su"
command is SUID root for much the same reason that the telnetd runs as
root. But a user without "su" authorization isn't allowed to execute
it regardless.

--RLR

Bill
--
Bill Vermillion - bv @ wjv . com

FWIW the PAM module pam_wheel.so controls su privileges and the
"wheel" group. Linux distros vary on the default configuration. In
the Oracle (!) Red Hat Enterprise clone I'm looking at just now it's
commented out of /etc/pam.d/su so "wheel" is just another group on
this system.

--RLR

.

Relevant Pages

  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... (I am root on my home systems, and have "root" user accounts at work, ... Notice - no permissions for normal users to run. ... members of the 'wheel' group could run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
    (comp.os.linux)
  • RE: Root access loggin
    ... commands with sudo assume that the user actually knows what commands ... Sudo wouldn't be any help here cause I would need to pre approve commands ... You can grant them access to everything that root has simply by adding their account to the wheel group and using visudo to grant wheel access to everything that root has access to. ...
    (freebsd-questions)
  • Re: Problems booting operating system and with root password
    ... Atom Powers wrote: ... If you are in wheel, then you should be able to "sudo su" to switch to ... the root account and then "passwd root" to reset the password. ... mmiranda is not in the sudoers file. ...
    (freebsd-questions)
  • Re: sudo doesnt work, Im not in sudoers file, but I am.
    ... user gene is not allowed to execute '/bin/ls -l' as root on ... ~ %wheel ALL=ALL ...
    (Fedora)
  • SU vulnerability
    ... Long time ago I decided to protect my system by allowing *ONLY* users in wheel ... group to su to root. ... This allows to protect the system. ... Anyone who knows the root password logs in as regular user, ...
    (Fedora)
Loading