It appears to be Unix tradition that a wheel group is created automatically, but Debian (and children, naturally) doesn't do so. Is there a rationale somewhere? Where else have you seen this tradition discarded?
Asked
Active
Viewed 5.1k times
2 Answers
33
Some unix systems allow only members of the wheel group to use su. Others allow anyone to use su if they know the password of the target user. There are even systems where being in the wheel group grants passwordless root access; Ubuntu does this, except that the group is called sudo (and doesn't have id 0).
I think wheel is mostly a BSD thing. Linux is a mix of BSD and System V, and the various distributions have different default policies with respect to granting root access. Debian happens not to implement a wheel group by default; if you want to enable it, uncomment the auth required pam_wheel.so line in /etc/pam.d/su.
Gilles 'SO- stop being evil'
- 829,060
19
Because wheel is a tool of oppression! From info su:
Why GNU 'su' does not support the 'wheel' group
(This section is by Richard Stallman.)
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual `su' mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.
I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.
See also the Debian Reference. Anyways, the sudo group is built in so who needs wheel?
Janus
- 1,533
-
16I don't know the history, but I doubt this quote is the real reason why Debian doesn't implement the
wheelgroup by default. (Debian'ssudoes support thewheelgroup, it's just not enabled by default.) Anyway rms's reasoning might apply to MIT in the 1980s, but it doesn't apply to most places where not all users can be trusted and ubiquitous Internet accessibility means security needs to protect against attackers from all over the world. – Gilles 'SO- stop being evil' Dec 01 '10 at 08:31 -
1
-
1For what it’s worth, this is pretty bad reasoning for this feature. Nowadays almost all devices have internet access, making them vulnerable to completely known third parties, and there any extra restriction caused by this kind of group would make sense. – Smar Sep 20 '21 at 12:02
wheel:x:0:rootand modify the /etc/pam.d/su file asauth required pam_wheel.so group=wheel, (removing the comment before). – elika kohen Oct 29 '15 at 20:53wheelgroup to make use of thesudogroup in its place forpampurposes. Just addgroup=sudofollowing the statement. e.g. to allow members of thesudogroup tosuwithout a password, simply uncomment/modify the line in/etc/pam.d/suas follows:auth sufficient pam_wheel.so trust group=sudo– David C. Rankin Jan 11 '17 at 05:03sudoersis the way to control this now (September 2017). – SDsolar Sep 11 '17 at 08:07/etc/sudoershas always been the way to control root access. But since the defaultsudoersallows anybody in thesudogroup to become root, you can control root access by managing the list of users who are in thesudogroup. – Gilles 'SO- stop being evil' Sep 11 '17 at 08:45