[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Please verify these 2 OpenBSD Bugs (FAQ, adduser, login.conf)
- To: misc@openbsd.org
- Subject: Re: Please verify these 2 OpenBSD Bugs (FAQ, adduser, login.conf)
- From: Ingo Schwarze <schwarze@usta.de>
- Date: Sun, 2 Jan 2005 15:22:23 +0100
- References: <8f587f2704123103213a426e3e@mail.gmail.com> <Pine.BSO.4.61.0412311231130.16836@pepper.intra.drijf.net> <d14e8d9d04123109352998b738@mail.gmail.com>
- User-Agent: Mutt/1.4.2i
Hi,
Adam Getchell wrote on Fri, Dec 31, 2004 at 09:35:55AM -0800:
> No, that's the trick right there. You've added user "foo" to login
> group "foo" first, then added to wheel. If you rerun this and add
> "foo" to login group "wheel" directly,
Usually, i would recommend against choosing "wheel" as the login
group (i.e., the one referenced in passwd(5)) for any user
except root - certainly not for some human user who is going to
work as a sysadmin. Being a member of the group 10 "users" will
be useful even for a sysadmin. Why any home dir with all the
files inside should belong to the group "wheel" is not obvious
to me, either.
Even for nearly all specialised purposes, creating a dedicated
group would appear to me as a more natural and less risky option
than adding an account to the group "wheel", let alone making "wheel"
its login group. Do keep different priviledges seperate as much
as possibly.
Of course, there may be very exceptional conditions when you do
want "wheel" to be the login group for some particular account
for whatever reason. But in such a case, special care is
advisable anyway...
That said, i suspect somebody naively typing "wheel" at the
"Login group" prompt in adduser(8) might have worse problems
than not being able to su(1) root afterwards.
Yours,
Ingo