[dathinab]

A different reason why it's good that it doesn't support wheel:

- it makes it smaller, less code which can go wrong

- su isn't limited to "set user root" but wheel tends to be

- it avoids having to handle many kind of subtle problems with group based permission handling in linux

It's just not a bad idea to have a very minimalist program like su and then delegate all more complicated "acting as user" permission handling to other programs like sudo or doas.

Through tbh. the more I do learn the more I come to believe that uid/gid based permission handling is fundamentally flawed (but also good enough inside of a single application OCI(docker) image). The facts that Linux had to add a (very limited) capability system or that enterprise permission handling often goes through stuff like pollkit adding additional handling then just "gid/uid match" is I think very telling.

[dale_glass]

I don't think GNU has ever committed to any kind of minimalist philosophy.

Have you seen the number of flags every command has? ls has almost the entire alphabet taken.

[mattkrause]

From the GNU Fortran manual:

“9.5 Case Sensitivity There are 66 useful settings that affect case sensitivity, plus 10 settings that are nearly useless, with the remaining 116 settings being either redundant or useless.”

https://gcc.gnu.org/onlinedocs/gcc-3.4.6/g77/Case-Sensitivit...

[rollcat]

GNU had to create a convention for the --long flags to fit all of their options.

I think the convention itself is good - I prefer long flags in scripts for improved readability.

But GNU is anything but minimal - compare GNU ls[1] with BSD ls[2], and try to recall the last time you needed --dereference-command-line-symlink-to-dir.

    [1]: https://linux.die.net/man/1/ls
    [2]: http://man.openbsd.org/ls

[jmclnx]

>I don't think GNU has ever committed to any kind of minimalist philosophy

So true. I remember early on when GNU was started, people in the project where saying and developing with something like this in mind (paraphrasing):

"Make sure it works and meet users needs, even if it is too heavy for current systems, the hardware will improve as time goes on"

And that came true, for example, emacs is a lite ballerina compared to current IDEs.

[vbezhenar]

suid bits are flawed and ideally should not exist. You should only be able to drop privileges. su/sudo should be replaced by ssh anotheruser@localhost (or simpler implementation with unix socket and without encryption, but the idea is the same).

[chasil]

You would not be able to change your password without suid.

I guess there are ways that sudo/doas could be adapted to implement passwd, chfn, chsh and friends, but the approach appears to have been chosen in the '70, and codified by POSIX.

How do you think these should be implemented?

[vbezhenar]

Just make a request to the service which runs under root to change password. Include necessary credentials (e.g. current password or its hash) and new password (or its hash). How this request will be authenticated is another matter, but there are plenty of ways to authenticate a request. Or may be there should be better ways if current ways are flawed.

My point that it does not have to be coded in the kernel as a dedicated mechanism to circumvent protection. Use any IPC channel to send a message to another process which already runs under root and accept those messages.

[chasil]

On this, you must understand the original "poverty of UNIX," in that it originated on a 16-bit PDP-11.

There was no room in that environment for a running service to elevate privilege, so it was implemented as a kernel system call.

This poverty meant that efficiency was required, and setuid was the most efficient mechanism.

It was a reasonable and efficient mechanism for its time, and it has successfully scaled to the realm of modern supercomputers, and remains efficient on the lowliest of embedded systems.

Maybe there was a more secure option bearing in mind of all the places that UNIX was forced to go, but I cannot think of one.

[marcus0x62]

You’re talking about tools and systems that just did not exist when the idea to have su check wheel membership came about.

It was a different world, and having some basic speed bumps like not allowing random user accounts to su to root was useful at the time.