Isn't the wheel group too much for simple sudo/doas usage?

[rbranco]

The wheel group is GID 0, which allows more than just running sudo & doas. For this reason I create a special sudo group.

Why isn't the wheel group considered harmful?

 

[SirDice]

Nobody is forcing you to use wheel, it's an example.

 

[covacat]

besides allowing you to su(1) to root it does not provide you with much
you still have to know root password

 

[rbranco]

Nobody is forcing you to use wheel, it's an example.

I know. I'm not ranting. I'm just asking why this separation of concerns isn't implemented even on OpenBSD. Is there something I'm missing? I'm not particularly paranoid anyway.

 

[bvdw78]

Looks to me like wheel works exactly as intended. Gid 0 doesn't do more than control su and even that can be changed. How do you see it as harmful?

 

[rbranco]

Looks to me like wheel works exactly as intended. Gid 0 doesn't do more than control su and even that can be changed. How do you see it as harmful?

Simple separation of concerns. We have to add an user to the wheel group to run sudo/doas, but wheel is the root group and everyone in the wheel group can see everything in /root, directories in /var, etc. Which is probably not what we want.

 

[Maxnix]

Simple separation of concerns. We have to add an user to the wheel group to run sudo/doas, but wheel is the root group and everyone in the wheel group can see everything in /root, directories in /var, etc. Which is probably not what we want.

How SirDice said, you don't need to add your user to the wheel group to use sudo/doas. The wheel membership is required only for su(1).

 

[bvdw78]

Well if you already have su, there's not much you can hide in /root or /var. I get where you're coming from now but I wouldn't call it harmful.

 

[Kai Burghardt]

[…] Is there something I'm missing? […]

You’re maybe missing the fact that a subject possesses both a real and an effective group ID. When you log in, your real and effective group ID become the user’s primary group ID as defined by the 4th field of a passwd(5) file. A su(1)bstitute user identity (as an unprivileged applicant) only sets the effective user and group ID (setegid(2)), so you can still keep track of who (which human ≈ real IDs) performed an action.​

[…] everyone in the wheel group can see everything in /root, directories in /var, etc. […]

Does it grant access? You need the exexcute bit to traverse every pathname component and the read bit to list directory entries.​

getfacl /root /var
# file: /root
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:------a-R-c--s:-------:allow
         everyone@:------a-R-c--s:-------:allow

# file: /var
# owner: root
# group: wheel
            owner@:rwxp--aARWcCos:-------:allow
            group@:r-x---a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

[…] The wheel membership is required only for su(1).

[…] For this reason I create a special sudo group. […]

I know your question isn’t about implementation, but you do not need to set up sudo(8). The wheel group membership requirement is enforced via the /etc/pam.d/su service stack rule:​

auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser

You could omit the root_only option to pam_group(8) and/or replace wheel with your dedicated su(1) group if you like, if you think this was a gain in security in your environment.​