再说BSD/Linux的su

用惯了Linux的人再去用BSD的时候,很多都会抱怨说为什么只有wheel组的人才能su? wheel是一个什么东西?
在gnu版的su的man页的末尾,有这么一段 Richard Stallman 的 解释:
Sometimes a few of the users try to hold total power over all the
rest. For example, in 1984, a few users at the MIT AI lab decided to
seize power by changing the operator password on the Twenex system and
keeping it secret from everyone else. (I was able to thwart this coup
and give power back to the users by patching the kernel, but I wouldn't
know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual
`su' mechanism, once someone learns the root password who sympathizes
with the ordinary users, he or she can tell the rest. The "wheel
group" feature would make this impossible, and thus cement the power of
the rulers.

I'm on the side of the masses, not that of the rulers. If you are
used to supporting the bosses and sysadmins in whatever they do, you
might find this idea strange at first.

而现在,那么一个大机房很多个无盘工作站共用一个Unix机的状况已经很少见了。站在系统管理员的角度来想,只是在于你是否相信 机器上的每个用户。如果你不相信它,那么允许它su,就无形的增加了一堵风险。

如果你希望Freebsd下的su和GNU的su具有相同的规则(去掉用户组的限制),那么有两种解决方案:

  1. 从ports的coreutils中装一个gnu版的su。然后alias su gsu
  2. 打开/etc/pam.d/su,找到 auth requisite pam_group.so no_warn root_only fail_safe 把这行注释掉。

此博客中的热门博文

少写代码,多读别人写的代码

在windows下使用llvm+clang

tensorflow distributed runtime初窥