Tags

, , ,

Many versions of UNIX do not support the wheel group at all. Hewlett-Packard’s HP-UX is one of these. The main focus and purpose of a wheel group can be summarized thus: Not everyone should be able to run the su command.

To accomplish this does not require a lot. First, the wheel group must be created. Add the group to the /etc/group file:

wheel:*:0:root,dgd

It is not necessarily required that the wheel group occupies userid 0 – but it is entirely appropriate. Don’t forget to add yourself (your normal userid) to this group. Next step is to check the su command:

# ls -ld `which su`
-r-sr-xr-x 1 root bin 19588 Mar 20 2005 /usr/bin/su

Note that this binary is suid; this must be preserved in order for su to work properly. However, the permissions and group ownership must change in order for the wheel group to work properly. Two things must be changed:

  1. World permissions (“other”) must be revoked
  2. Wheel group members must be able to execute this command

These requirements can be satisfied in this manner:

# chmod 4550 `which su`
# chown root:wheel `which su`

This is only the beginning – but satisfies the initial requirements. The rest is optional, but makes things easier for the administrators in the wheel group. In particular, change the permissions on log files to allow those that are members of the wheel group to read them without having to use switch to root.

Advertisements