[alexey-salmin]

> Add any sudoers to the wheel group, and there you go: only users that can sudo are allowed to even read the bytes of the file off disk, let alone execute them.

That's very sensible, I wonder why it's not the default setup everywhere.

[kelnos]

Probably because there's nothing that says only users in wheel (assuming your OS/distro even has that group; some don't) can sudo. You can grant any user with any group membership access to sudo, either full access, or restricted to only certain commands.

If the package was set up to install /usr/bin/sudo so it was only runnable by members of the wheel group, that wouldn't work.

[kmeisthax]

It's worth noting that the reason why your OS/distro doesn't have or doesn't respect wheel is largely down to RMS opposing it[0], instead favoring people trading the root password around to unauthorized users.

[0] https://web.archive.org/web/20070603191229/http://www.gnu.or...

[sham1]

It's also worth noting that the Coreutils `su` is no longer in use by anyone, and that the `su` from the shadow-package absolutely checks for wheel. It's even configurable if you haven't enabled PAM by configuring `SU_WHEEL_ONLY` in your login.defs. And with PAM you configure that via PAM.

Hell, not even GNU distros like GNU Guix, Parabola, nor Trisquel follow RMS' opinions on this anymore.

[ilius2]

Not all distros use `alias su='sudo -i'`. Ubuntu does. Debian does not. Not sure about others.

[dingensundso]

Having a wheel group that is allowed to run any command with su rights is the default setup, but it's not the only one.

I have used sudo a lot of times to allow a specific user to run exactly one command with elevated rights. In those cases they weren't in the wheel group.

[riedel]

Actually retristricting defined commands to defined sudoers should be one of the main use cases of sudo. This could be done as well via ssh config but one would need a lot of keys if you don not want a wrapper (and rewrite sudo all over)

If you are really thinking security, elevating a standard user seems bad practice to anyways. It is rather I guess a way to protect the user to do `rm -rf /` accidentally. On the other end adding an another layer of obscurity is practically adding a bit of security against script kiddies. But if that is of concern one could also rename the sudo binary.

One last thing the SSH trick might be interesting is the portability but in this case I would rather go via a standard TCP socket.

[jkhanlar]

Has anyone prepared a list of distributions indicating the default sudo setup comparing to each other? I'd be interested to see the defaults for each distro as a factor to consider.

[cqqxo4zV46cp]

It’s at the very least incompatible with *some^ hypothetical sudo configurations. It’s probably a good hardening practice if you know how sudo is going to set up on the machine.

[peanut-walrus]

Not every user who uses sudo is admin or elevates to root.

[rascul]

I've seen a wheel or sudo group often enough to think it's common.