[tech] Moving Wheel group away from GID 0

David Adam zanchey at ucc.gu.uwa.edu.au
Tue Jun 27 11:16:10 AWST 2017


Occasionally, I hear people say "everyone I ask about this problem tells 
me the same thing!" Usually there is a reason for that.

For the last few years, we've been fighting with various bits of software 
that don't like the idea that our wheel members have their primary group 
set to the root GID of 0. In our tests of Active Directory/Samba, getting 
users to belong to a group with a GID of 0 is proving to be Very Hard. 
Perhaps there is a reason for this.

I think it's time to face facts. Being part of a group called "wheel" is 
no longer required for technical reasons, and even if it was there is no 
need for it to have GID 0.

My plan is to:
 * add all Wheel members to the LDAP group "wheel" (done)
 * create a new LDAP group "wheelnew" with GID 512 (matches the RID for 
   Windows' default Adminstrator group)
 * add all Wheel members to this group
 * wait for the next reboot of Mussel/Motsugo
 * change the default group of all wheel members to GID 512 instead of 0
 * change all the files in /home and /away with GID 0 to GID 512
 * remove the wheel LDAP group
 * fix stuff that breaks
 * remove the suexec hacks we have in place

Unless there are any objections or fixes for this plan, I am going ahead 
in the next week or so.

David Adam
UCC Wheel Group Member
zanchey at ucc.gu.uwa.edu.au


More information about the tech mailing list