September 2nd, 2002, 07:07 PM
Linux: Enforce the wheel group
One of the most common pieces of advice that new users to *nix operating systems receive is to never work as root unless absolutely necessary. Users should always work from a regular user account. The wisdom is undeniable, but having to always log out and back in every time you need to update a package or change a file in /etc can be a real pain in the 455. Fortunately, *nix provides a very handy way to quickly become root for a short time without logging out. It's the su (substitute user) command.
Su allows a user on the system to temporarily become another user. It is most commonly used for becoming root, and in fact if the command is issued with no user specified it defaults to the root account. However, if su isn't properly configured, it can leave gaping security holes in your system by giving undesirable users the possibility of becoming root. Even if the users don't know the root password, a brute force password crack will work sooner or later.
To reduce the risk associated with su, traditional Unix systems (and the *BSDs) require the user to be a member of a group called "wheel" in order to su to root. Unfortunately, the wheel group has been largely forgotten in the Linux world, presumably because so many distributions try to attract newbies and they feel the restriction might be too confusing. I know that Red Hat and Mandrake don't enforce it, while Gentoo does. There may be others, as well.
[RANT] I don't understand this practice at all. Anybody who is too much of a newbie to understand groups and permissions will use GUI-based config tools and not the command line, so how freaking hard is it to put a check box on the add user dialog that says "Allow user to su?" [/RANT]
Fortunately, it's quite easy to create and enforce the wheel group if your distribution of choice doesn't already. Many distributions go ahead and create the group but don't actually enforce it. To check whether the group exists on your system, look at /etc/group and see if wheel is listed. If it is, the first step is already done for you. If it isn't listed there, you'll have to create it:
There are two ways to enforce the group. You can prevent non-wheel users from executing the command at all, or you can allow them to execute the command and su to ordinary users, but not to root.
To prevent users from executing the su command at all, you simply change the permissions on /bin/su to make it belong to group "wheel" and remove the bit that makes it executable by users outside its group. For a refresher on permissions, see my previous tutorial on this topic.
Next, add the user of your choice to the wheel group with usermod. Be sure to list all the groups to which the user belongs or they will be removed.
chown root.wheel /bin/su
chmod o-x /bin/su
That's it. Any user not belonging to the wheel group who tries to execute /bin/su will get "permission denied." This is probably the more secure of the two methods, because an attacker might manage to crack the password of a user account that *is* in the wheel group and get one setp closer to root.
usermod -G users,cdwriter,games,audio,video,wheel problemchild
However, if you want to allow users to execute the command but not to become root, that can be done with Linux PAM (pluggable authentication module) settings. Certain binaries like su and other sensitive commands are linked into PAM and can easily be configured to the desired behavior. The settings for su are stored in /etc/pam.d/su. Edit it like so:
Now, any user attempting to su to root will be asked for the root password, but will always receive "su: Permission denied."
auth sufficient /lib/security/pam_rootok.so
# The following line implicitly trusts users in the "wheel" group.
auth sufficient /lib/security/pam_wheel.so trust use_uid
# The next line to requires a user to be in the "wheel" group.
auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
Enforcing the wheel group is a simple but effective precaution to close off yet one more avenue to root from an attacker.
Do what you want with the girl, but leave me alone!
September 2nd, 2002, 07:12 PM
Great post Problem, keep'em comin...
\"Now it\'s time to erase the story of our bogus fate. Our history as it\'s portrayed is just a recipe for hate!\"
September 2nd, 2002, 09:05 PM
Great tutorial, this kind of stuff is why I come to this site.
Its not software piracy. Iím just making multiple off site backups.