passwordless su

[dbi]

Hi,

How to set the "wheel" group members (and/or any other explicitly named group) to do "su" w/o password?

In GNU/Linux it is can be achieved by "pam_wheel", e.g.:

auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth            sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

 

[sixtydoses]

Run $ visudo and uncomment the following line.

%wheel ALL=(ALL) NOPASSWD: ALL

 

[SirDice]

Visudo is for administring sudo access, it has nothing to do with su.

You cannot have a password-less su.

 

[sixtydoses]

Eek yea I misread. Meh.

 

[Galactic_Dominator]

You cannot have a password-less su.

You can if the root passwd is blank, although I don't know pam so I couldn't say if FreeBSD allows it.

 

[luna]

in /etc/pam.d/su comment out the line containing auth and system e.g.

auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
#auth		include		system

pam_group(8) line should be enough to restrict access to only "wheel" group

 

[SirDice]

You can if the root passwd is blank

Definitely not recommended. And I don't recommend a password-less su or sudo either.

 

[dbi]

in /etc/pam.d/su comment out the line containing auth and system e.g.

auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
#auth		include		system

pam_group(8) line should be enough to restrict access to only "wheel" group

Doesn't work here?

 

[phoenix]

Uhm, why would you want a password-less su command? That's just asking for a rooting.

Install sudo and use that. At least then you can lock it down to specific commands that can be run as root without requiring a password.

But allowing people to become root without a password? That's madness.

 

[dbi]

Uhm, why would you want a password-less su command? That's just asking for a rooting.

Install sudo and use that. At least then you can lock it down to specific commands that can be run as root without requiring a password.

But allowing people to become root without a password? That's madness.

While being afraid the discussion would go off-topic, I believe those questions really deserve an answer.

At first glance the idea seems scary indeed, but actually it is all about convenience with no security reduction in this particular case.

- Who can do "switch user" (su)?
- The wheel members only.
- Who is a wheel member?
- No one but root and yours truly.
- Who has an ssh access?
- Another account with no "wheel" membership and no one else.

If someone cracked the dedicated ssh account, they could not do "su" from it. So, what's the point to enter the root's password every time I want to do an administrative task?

Finally, a few words about sudo.
I dislike sudo.
I like su.
I'd always prefer to type the root password before switching to sudo.

So, back to the original question: is FreeBSD capable of doing passwordless su?

 

[Galactic_Dominator]

Maybe blank root password and no root login access via /etc/ttys?

 

[jalla]

Apart from the fact that sudo is an addon, what's the difference of su/sudo if sudo is limited to the wheel group only? With sudo set up you could even create a shortcut if you like

alias su='sudo sh'