Re: Please verify these 2 OpenBSD Bugs (FAQ, adduser, login.conf)

[Matthias Kilian <kili@outback.escape.de>]

On Sat, Jan 01, 2005 at 06:39:48PM +0100, Mark Farquaad wrote:
> > If group 0 (normally ``wheel'') has users listed then only those
> > users can su to ``root''.  It is not sufficient to change a user's
> > /etc/passwd entry to add them to the ``wheel'' group; they must
> > explicitly be listed in /etc/group.  If no one is in the ``wheel''
> > group, it is ignored, and anyone who knows the root password is
> > permitted to su to ``root''.
[...]
> I think the behaviour of adduser mentioned in this post
> should be considered to be not quite self-evident or, to an 
> average user: *buggy*!

No, it isn't; adduser(8) works exactly as expected.

If there's a problem at all, it's related to su(1). But then the
behaviour of su(1) wrt group "wheel" is well documented and a long
standing behaviour, too (more than 10 years old). Changing this may
have very bad impact, such as users becoming the permission to run
su(1) that don't have that permission in the current implementation.

So, what's typically happening (or rather, what I would expect when
running into this problem), is:

1. adduser(8) with login group "wheel"
2. being suprised that that user can't su(1)
3. reading su(1) and searching for "wheel" => Problem identified
4. usermod -G wheel $THE_USER => Problem solved

Takes about two minutes from 2. to 4.

Ciao,
	Kili