Misleading message in 'su' info document

Bruce A. Locke blocke at shivan.org
Wed Aug 20 02:20:42 UTC 2003


On Tue, 2003-08-19 at 20:39, Thornton Prime wrote:

> I think it would be a mistake to document PAM functionality in the su
> info pages.
>
> You may be right about the historical rant. Even though I disagree with
> RMS, I think it is a nice bit of history, and I like your idea of
> preserving it elsewhere.

I agree.

> I don't know how to do this with PAM. Can you explain how this is done?
> On my systems, when I add
> 
>   auth required /path/pam_wheel.so use_uid
> 
> it limits user to user su also. Is there an option I'm missing?

I'm afraid I'm wrong.  I assumed pam_wheel behaved like the wheel group
does in *BSD.  I'm disappointed that it has such a limitation. 

> And it could be done just as easily with other methods, like RBAC and
> stuff.

Of course that would be the better solution but for now we are left with
suid binaries and su and sudo. :)

> I guess I don't have a problem mentioning in the su info that there ways
> of getting wheel limits (and pointing to PAM as one), but the su doc is
> not the place to document pam_wheel.

Yes, I agree.  I think simply removing the rant (and moving it to
another file for historical/humor purposes) would be good enough.  At
least that way users are not being told that the functionality is not
being provided when there are ways of getting it (aka uncommenting a
single line in a single file).


-- 
---------------------------------------------------------------------
Bruce A. Locke
blocke at shivan.org






More information about the devel mailing list