Hacker News new | ask | show | jobs
by dataflow 1030 days ago
I read the page and don't understand what's going on. What is special about the 'wheel' group and what is su even "checking" in the first place? Isn't it just supposed to switch user? And what are the implications of not-checking whatever it was supposed to check? And I also don't get: if someone has the root password, can't they change what groups they're a member of?
3 comments
segfaultbuserr 1030 days ago
> What is special about the 'wheel' group and what is su even "checking" in the first place?

By convention, "wheel" is a special Unix user group that determines who can use "su" and "sudo". Most "su" and "sudo" implementations allow the sysadmin to make their use exclusive to the trusted users inside the "wheel" group. In most systems, it's the default setting of "su", and optional for "sudo" (given as an example in /etc/sudoers).

> if someone has the root password, can't they change what groups they're a member of?

No. If "su" is configured to be "wheel"-exclusive, you can't log in as root even if you have the password, because you cannot use "su" - unless you have direct access to the system console that allows you to type "username: root", which is almost never the case on servers that disable remote root login.

link
cperciva 1030 days ago
What is special about the 'wheel' group and what is su even "checking" in the first place?

Users who aren't in the wheel group aren't supposed to be able to become root, even if they have the password.

Isn't it just supposed to switch user? And what are the implications of not-checking whatever it was supposed to check?

Someone who steals the root password (say, by looking over the sysadmin's shoulder) would be able to become root.

And I also don't get: if someone has the root password, can't they change what groups they're a member of?

No, because they can't log in as root and (on non-broken systems) can't become root.

link
ilyagr 1030 days ago
Native question: if you can `sudo`, can't you just `sudo bash`? What can you do with `su` that you couldn't do with `sudo bash`?

Or is the wheel group not really about being able to sudo?

link
cdrt 1030 days ago
You’re thinking about it backwards

`su` predates `sudo` by a decade doesn’t offer the fine-grained control `sudo` has. With `su` if you have the root password, you can do anything you want as root. With `sudo` admins can configure what commands users are allowed to run as root and could specifically block `sudo bash` from running.

link
tedunangst 1030 days ago
Wheel and su predate sudo by many years. sudo has a config file called sudoers; su has a config file called the wheel line in /etc/group.
link
justsomehnguy 1030 days ago
It's 'substitute user', not just 'super user'. With su you can impersonate any user.

Wheel users can do anything because (default) sudoers contains

  %wheel  ALL=(ALL)   ALL
https://unix.stackexchange.com/questions/152442/what-is-the-...
link
klodolph 1030 days ago
Basically, su vs sudo. Do you want any user to be able to become root, if they know the root password? Or do you want more control over the process?
link