If you have grown accustomed to FreeBSD administration, you’ve probably learned that users need to be member of the wheel group to be able to use the su
command. Some in the land of GNU don’t agree so much with this way of doing and firmly believe that wheel
is an instrument of power (which is true in a literal sens) but that’s another story.
In fact I am perfectly fine with this save for one little detail. By default most log files are owned by root:wheel
. Altough while some of them have permission 600, a lot of them are 640 which means that members of the wheel group will be able to read them. We have basically two solutions to fix this:
- Fix permissions in
/etc/newsyslog.conf
.
- Use another group instead of
wheel
for the su
command.
Fixing newsyslog.conf
is quite easy, just replace the mode column with any permission you fancy (in our case 600). Don’t forget to restart newsyslog
and fix existing permissions with find /var/log -type f -exec chmod 600 {} \;
.
However that might not be enough. You see on most BSD wheel
has gid 0, whereas on Linux it is root
that has gid 0. Nobody is supposed to be a member of root
, but it serves as a general purpose group for anything owned solely by root. As such you can often use chown 0:0
as a synonym of owned by root.
But root:root
on Linux would not have the same meaning as root:wheel
on BSD. In particular you can generally suppose that files owned by root:root
with permission 640 on Linux are only readable by the root user but the same supposition doesn’t translate so well for us BSD users.
While I’m not keen of importing such kind of Linuxism into FreeBSD, one way to deal with it would be to use another group for su
users. For this we would:
- Create the
su
system group.
- Move all members of
wheel
to this group.
- Modify
/etc/pam.d/su
to use group=su
instead of group=wheel
.
Now I don’t personally do that, but I guess what you do it’s your business.