On Sun, Sep 17, 2000 at 06:38:13PM +0200, Christian Pernegger wrote: > > i would recommend against using group root for this purpose, instead > > add a new group `wheel' and use that. > > <snip good reasons> > > > for pam add this line to the top of your /etc/pam.d/su file: > > > > auth requisite pam_wheel.so group=wheel debug > > The example says required, but requisite is the far better choice - thanks!
requisite better replicates the BSD su behaviour where you are not even given the opertunity to enter a password. purists may argue that allowing the user to futily enter passwords is better since it will give away less, but i say they can figure out you have a wheel group setup pretty easy anyway. (gee a wheel group exists with a couple users but no real files on the system owned by that group, hmm ;-)) > Another question: in /etc/pam.d/login there is a line that causes > /etc/issue to be shown - it was commented out on my box, still > an issue is displayed. login displays /etc/issue on its own without the pam module. i am not really sure what pam_issue is for. i suppose on a purists level login should not display the issue file, pam_issue should, that leaves the choice more up to the admin. i personally don't really care much since issue is only seen on the console and issue.net only in telnet, and i don't allow telnet, and im the only one i let on the console... > I activated it and expected to see the issue line twice, which I > didn't. What displays issue if the PAM option has no apparent > effect? see above. though that is odd that pam_issue does not appear to work, or maybe its just smart enough to know the issue is already printed? -- Ethan Benson http://www.alaska.net/~erbenson/
pgpcsqgYWPNEe.pgp
Description: PGP signature
