为何OpenBSD3.5下wheel组的用户不能su成root？

davidkang

如题：建了一个admin的用户，组是wheel的，但当用这用户su时出现如下提示，请提教什么原因？或列一下adduser的过程。

$ su
Password:
you are not in group wheel
Sorry
$ id admin
uid=1000(admin) gid=0(wheel) groups=0(wheel)
$
$

明明是wheel组的啊！

建立过程如下：
Ok, let's go.
Don't worry about mistakes. I will give you the chance later to correct any input.

Enter username []: admin
Enter full name []: admin
Enter shell csh ksh nologin sh [sh]:
Uid [1002]:
Login group admin [admin]: wheel
Login group is ``wheel''. Invite admins into other groups: guest no
[no]: no
Login class auth-defaults auth-ftp-defaults daemon default staff
[default]:
Enter password []:
Enter password again []:

Name:        admin
Password:    ****
Fullname:    admin
Uid:         1002
Gid:         0 (wheel)
Groups:      wheel
Login Class: default
HOME:        /home/admins
Shell:       /bin/sh
OK? (y/n) [y]:y

请指正！谢谢。

stevens_wu

奇怪了！cat /etc/groups结果贴出来看看

slzq

#vi /etc/group

wheel:*:0:root,youuser

davidkang

原帖由 "slzq" 发表：
#vi /etc/group

wheel:*:0:root,youuser

谢谢，按slzq的做法解决了。


$ su
Password:
openbsd# who
david     ttyC0    Oct 28 14:46
admin    ttyp0    Oct 28 14:48   (210.XXX.XXX.XXX)
openbsd#

Freebsd中不用这样，看来要适应它们的不同。
顺道问一下：wheel:*:0:root,user1,user2--这里是列组成员吗？

davidkang

还发现一个现象，不解？在这也问一下。

我在用的这个openbsd，default install后，ssh中，root用户可以直接login进系统。但我不想这样，我需要su的办法。所以我在:
/etc/ssh/sshd_config文件中设了PermitRootLogin为no，但设置了之后，root还是可以直接从ssh远程直接login进系统？

login as: root
Sent username "root"
root@210.xxx.xxx.xxx's password:
Last login: Thu Oct 28 14:45:38 2004 from 210.xxx.xxx.xxx
OpenBSD 3.5 (GENERIC) #34: Mon Mar 29 12:24:55 MST 2004

Welcome to OpenBSD: The proactively secure Unix-like operating system.

Please use the sendbug(1) utility to report bugs in the system.
Before reporting a bug, please try to reproduce it with the latest
version of the code.  With bug reports, please try to ensure that
enough information to reproduce the problem is enclosed, and if a
known fix for it exists, include that as well.

Terminal type? [xterm]
Don't login as root, use su
Read the afterboot( man page for administration advice.
openbsd#

sshd_config如下：
#       $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server
请指正。谢谢

rianren

Sudo Aliases and Exclusions (BSD DevCenter)
The hardest part to using sudo is configuring sudoers, its permissions file. Michael Lucas shows how to simplify sudo maintenance and clean up your sudo configuration using aliases.

Eliminating Root with Sudo (BSD DevCenter)
As the system administrator, you're stuck between deciding to hand out the root password or doing everything for your users. A third solution is sudo. This article shows you how to implement sudo, which you may already have, since it is integrated into OpenBSD and Mac OS X and is an add-on package for just about every other Unix-like operating system out there.

Using Groups to Eliminate Root (BSD DevCenter)
Strategic use of groups can eliminate the need to give the root password to people, but still allow them to do their job.



http://www.onlamp.com/topics/bsd/administration

rianren

oh, my god! 怎么我的用户资料都没有了!

rainren

http://www.onlamp.com/topics/bsd/
这里的资料很多, 我上次down了好多在看!

davidkang

有所启发，但这里的admin是我自己专用的，所以root's password is just I know!，但正如你所说的，sudo的确是个好办法。看来我要专心看看man sudo了。
还有rianren,你是哪个提议编定"openbsd 学习方法“的哪个rianren吗？还是同名而尔。  我近期也在看E版的obsd-faq.pdf，用得着我帮忙的话，我也想出一份力。

slzq

把"ermitRootLogin yes"

加上注释掉试试~