[SGVLUG] Security of using "wheel"...
Rae Yip
rae.yip at gmail.com
Fri Dec 5 16:57:58 PST 2008
The wheel group isn't as relevant today because sudo and other
alternative privilege models. Since in most Unixes, the wheel group is
just a convention for limiting who can su, you're more likely to find
a finer-grained privilege control such as sudoers (or Solaris 10 RBAC)
that achieves the same thing but provides you more choices.
Also, group membership is public info since it's in /etc/passwd, so
you're immediately putting a bull's eye on your sysadmins; it'd be
very easy to automate local exploits to target members of the wheel
group. Whereas sudoers is readable only by root.
Finally, limiting wheel members to just local access doesn't work in
today's world of mostly remote administration.
-Rae.
On Fri, Dec 5, 2008 at 3:17 PM, Emerson, Tom (*IC)
<Tom.Emerson at wbconsultant.com> wrote:
> I suppose I should file this under "new things I learn even today..."
> but as the majority of "linux" systems that I have /actually/ used are
> glorified single-user systems, i.e., where "I" am the only actual "user"
> configured as a non-root login account, I never really had an
> opportunity to consider what the "wheel" group is on a Linux system...
>
> A quick search of the net turned up this link:
>
> http://administratosphere.wordpress.com/2007/07/19/the-wheel-group/
>
> Which points out that the "GNU" version of su "does not support the
> wheel group", and has a chuck of text from the "info" file, written by
> Stallman, explaining why.
>
> To this, I'd replay "fair enough, that would explain why I've never
> really heard much about it". I seem to recall noticing that the "wheel"
> group on an old system seemed to have "daemon" users in it [this might
> have been a slackware distro, or perhaps freebsd which I ran once many
> moons ago...] Of course, at this point it might be a fabricated memory
> ;)
>
> In any case, a little deeper in the search I came across this:
>
> http://www.cert.org/tech_tips/usc20_essentials.html
>
> Which makes explicit mention as follows:
>
> ===============================
> On systems that implement the /etc/login.access file, consider modifying
> this file to disallow remote access to privileged accounts. An example
> to disallow non-local logins to privileged accounts (group wheel):
>
> -:wheel:ALL EXCEPT LOCAL
>
> See also 2.10 /etc/login.access
> ===============================
>
> Which would be a great and simple thing to do, however on my latest SuSE
> system, "by default" the "wheel" group is actually empty, so the above
> line would't do a thing on my system.
>
> Any thoughts or comments on this? I'd Especially like to hear from
> anyone who actively maintains a Unix or Linux system with more than
> their own logon ID configured on it...
>
>
More information about the SGVLUG
mailing list