# passwordless su



## dbi (Oct 14, 2010)

Hi,

How to set the "wheel" group members (and/or any other explicitly named group) to do "su" w/o password?

In GNU/Linux it is can be achieved by "pam_wheel", e.g.:


```
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
auth            sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth            required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so
```


----------



## sixtydoses (Oct 14, 2010)

Run `$ visudo` and uncomment the following line.


```
%wheel ALL=(ALL) NOPASSWD: ALL
```


----------



## SirDice (Oct 14, 2010)

Visudo is for administring sudo access, it has nothing to do with su. 

You cannot have a password-less su.


----------



## sixtydoses (Oct 14, 2010)

Eek yea I misread. Meh.


----------



## Galactic_Dominator (Oct 14, 2010)

SirDice said:
			
		

> You cannot have a password-less su.



You can if the root passwd is blank, although I don't know pam so I couldn't say if FreeBSD allows it.


----------



## luna (Oct 14, 2010)

in /etc/pam.d/su comment out the line containing *auth* and *system* e.g.
	
	



```
auth		requisite	pam_group.so		no_warn group=wheel root_only fail_safe
#auth		include		system
```
pam_group(8) line should be enough to restrict access to only "wheel" group


----------



## SirDice (Oct 14, 2010)

Galactic_Dominator said:
			
		

> You can if the root passwd is blank


Definitely not recommended. And I don't recommend a password-less su or sudo either.


----------



## dbi (Oct 14, 2010)

luna said:
			
		

> in /etc/pam.d/su comment out the line containing *auth* and *system* e.g.
> 
> 
> 
> ...



Doesn't work here?


----------



## phoenix (Oct 14, 2010)

Uhm, why would you want a password-less su command?  That's just asking for a rooting.

Install sudo and use that.  At least then you can lock it down to specific commands that can be run as root without requiring a password.

But allowing people to become root without a password?  That's madness.


----------



## dbi (Oct 14, 2010)

phoenix said:
			
		

> Uhm, why would you want a password-less su command?  That's just asking for a rooting.
> 
> Install sudo and use that.  At least then you can lock it down to specific commands that can be run as root without requiring a password.
> 
> But allowing people to become root without a password?  That's madness.



While being afraid the discussion would go off-topic, I believe those questions really deserve an answer.

At first glance the idea seems scary indeed, but actually it is all about convenience with no security reduction in this particular case. 

- Who can do "switch user" (su)?
- The wheel members only.
- Who is a wheel member?
- No one but root and yours truly.
- Who has an ssh access?
- Another account with no "wheel" membership and no one else. 

If someone cracked the dedicated ssh account, they could not do "su" from it. So, what's the point to enter the root's password every time I want to do an administrative task?

Finally, a few words about sudo.
I dislike sudo.
I like su.
I'd always prefer to type the root password before switching to sudo.

So, back to the original question: is FreeBSD capable of doing passwordless su?


----------



## Galactic_Dominator (Oct 15, 2010)

Maybe blank root password and no root login access via /etc/ttys?


----------



## jalla (Oct 15, 2010)

Apart from the fact that sudo is an addon, what's the difference of su/sudo if sudo is limited to the wheel group only? With sudo set up you could even create a shortcut if you like

```
alias su='sudo sh'
```


----------

