sudo, not su.

[Albert Cahalan]

James Cameron writes:

> It doesn't seem like it would be difficult to write an activity that
> opens a pty (like Terminal does), issues an su, and thus gives itself
> elevated privileges.  That's why the rest of the activity isolation
> security model is important.

Uncomment line 6 of /etc/pam.d/su and try it.

Place user "olpc" into the "wheel" group as desired,
or just log in from the Linux console. No problem.
The evil activity won't be able to do this.

That said, SE Linux would be a damn good idea.
This kind of problem gets stopped cold before it
even gets started.