wheel groups and permissions
On Root privileges
You can remove root login, root password etc. You will then need some other way to get admin things done: such as
- adding users to groups
- configuring
sudo
to give fine-grained permissions - giving users and programs capabilities. root has recently been broken into a number of capabilities, so where you read that you need root to do something, you will now need probably only one capability. To give a program capabilities you use
setcap
, see What are the different ways to set file permissions etc on gnu/linux , it is like setuid root, but fine-grained. To give users capabilities, have a look at PAM ( I have no idea ).
You can reduce root privileges with mandatory access control such as se-linux and similar. These are also new, they limit what a process or user can do. This limitation is in addition to the traditional file permissions and “am I root”/capabilities.
On wheel
Users in group wheel, will be able to su to root, if they have the password (Gnu su, does not do this check, the only Gnu tool I know of that is less capable than other variants). Adding user to sudo/sudoers (depending on configuration) is often preferable.
Related videos on Youtube
Darth_Tom
Updated on September 18, 2022Comments
-
Darth_Tom over 1 year
I'm new to a lot of things Linux, so this might be basic stuff. We're thinking about setting up a wheel group and removing permissions from root. Not even sure that's possible. We are having a security issue with a brute force attack and want to disable root or remove permissions if they are able to get in. Is there a better method for handling this?
-
ctrl-alt-delor about 9 yearsYou can remove root login, root password etc. You can reduce root privilages only with se-linux, and similar. root normally has all privileges. You can give some of root's capabilities to other users and programs. Users in group wheel, will be able to su to root, if they have the password (Gnu su, does not do this check, the only Gnu tool I know of that is less capable than other variants).
-
michas about 9 yearsWhat kind of brute force attack are you talking of?
-
derobert about 9 years@richard "GNU su" (it isn't actually a GNU project, AFAIK) does whatever permission checks—including membership in wheel—you tell it to in the PAM config. At least on Debian, there is even a commented out example in
/etc/pam.d/su
on how to do that... Other than that, please post your answer as an answer instead of a comment. -
muru about 9 years@derobert The copyright for that says "Some parts substantially in src/su.c derived from an ancestor of su for GNU", so I doubt Debian's su is the same as GNU su.
-
derobert about 9 years@muru true, I'm not sure if there are any Linux distros using GNU coreutils su. Especially if it doesn't support PAM!
-