Opened 6 years ago
Closed 6 years ago
#4376 closed defect (fixed)
Non-exist group "wheel" in /usr/lib/tmpfiles.d/systemd.conf
Reported by: | Xi Ruoyao | Owned by: | Douglas R. Reno |
---|---|---|---|
Priority: | normal | Milestone: | 8.4 |
Component: | Book | Version: | systemd |
Severity: | normal | Keywords: | |
Cc: |
Description
I just built a fresh new LFS-20181109-systemd and see something strange in the journal:
systemd-tmpfiles[185]: Failed to parse ACL "d:group:adm:r-x,d:group:wheel:r-x": Invalid argument. Ignoring
This is because we don't have a "wheel" group, but systemd-239 assume it is existing. We can create this group, or remove it from systemd.conf with some sort of sed.
Change History (9)
comment:2 by , 6 years ago
I'm not too attached to it, but I see wheel more and more (likely as a result of systemd). I do use it for sudoers locally. I just want to make sure it is discussed before killing it off from the get go. Thoughts?
comment:3 by , 6 years ago
I don't really see a problem creating a wheel group when we create /etc/group. Looking at what we have in LFS and BLFS, I'd suggest a gid of 97 or possibly 100.
comment:4 by , 6 years ago
I agree here - let's put it in /etc/group
GID of 97 would fit the best IMO. It would make us the most consistent with other distros (my CIT-132 class has us examining the differences between 11 different distros, and they all have a wheel group below GID 100).
comment:5 by , 6 years ago
If we add the wheel
group we should also introduce pam_wheel
module of Linux-PAM in BLFS.
comment:6 by , 6 years ago
I suppose for su, we'd do auth required pam_wheel.so to prevent misconfiguration of sudo allowing regular su access. For chage and the rest, these are all root only as of now and require sudo. Would it be appropriate to do an early {auth,account} sufficient pam_wheel.so before their -system counterparts for all of the default binaries that we create a specific configuration? The same does not apply to sudo as you would use its configuration directly, though I'd probably add the wheel group to the default configuration there.
comment:7 by , 6 years ago
To clarify, this configuration would allow members of the wheel group do unsightly things like 'sudo su' but I think that's the whole point of the module, if you have wheel access, you had best know what you are doing anyway.
comment:8 by , 6 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
We should add meson option '-Dwheel-group=false' to tell systemd we don't have wheel group.