sudo, not su.

Fri Dec 21 20:15:09 EST 2007

On Dec 21, 2007 1:27 PM, C. Scott Ananian <cscott at laptop.org> wrote:
> I think people misunderstand the core problem: if root does not have a
> password, then *any activity on the system* can gain root privileges
> by su'ing to root.

This is not a given. Much has to be in place for
this to happen. Off the top of my head...

1. the "su" binary must be in the namespace
2. the "su" binary must not be overmounted
3. the "su" binary must be on a suid filesystem
4. the "su" binary must be setuid root
5. the "su" binary permission must allow execution
6. /etc/pam.d/su must not have pam_wheel.so set up
7. no SE Linux restrictions block required transitions

Pay attention to number 7. Look here:

-bash-3.2# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so
-bash-3.2#

So it looks like you just uncomment line 6 in that file,
add user "olpc" to the "wheel" group, and verify that
nothing is copying supplementary groups to activities.

(hey, I saved one byte!)