[SGVLUG] Security of using "wheel"...

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Fri Dec 5 17:07:41 PST 2008


> -----Original Message----- Of Rae Yip
> 
> The wheel group isn't as relevant today because sudo and 
> other alternative privilege models. [...]

In this case, "sudo" doesn't exist (this is the Gentoo system I've
inherited)

Of course, I *could* learn the tools to "get and install sudo under
gentoo", but really I'm waiting until the 18th to get v11.1 of SuSE...

> Also, group membership is public info since it's in 
> /etc/passwd, so you're immediately putting a bull's eye on 
> your sysadmins; it'd be very easy to automate local exploits 
> to target members of the wheel group. Whereas sudoers is 
> readable only by root.

I think you meant /etc/group, but yeah,  I see your point...
 
> Finally, limiting wheel members to just local access doesn't 
> work in today's world of mostly remote administration.

Uh, yeah :(

Makes it a royal pain to log in, even via ssh, and "accomplish"
anything...

In fact, I can't log in via ssh anyway -- getting "access denied" -- I
didn't have the foresight to actually create a "key" while I was at the
machine last night...

(I have one *now*, but no way to get it "onto" the machine until I can
sit down at the console...)


More information about the SGVLUG mailing list