[tech] Moving Wheel group away from GID 0
David Adam
zanchey at ucc.gu.uwa.edu.au
Tue Jun 27 11:16:10 AWST 2017
Occasionally, I hear people say "everyone I ask about this problem tells
me the same thing!" Usually there is a reason for that.
For the last few years, we've been fighting with various bits of software
that don't like the idea that our wheel members have their primary group
set to the root GID of 0. In our tests of Active Directory/Samba, getting
users to belong to a group with a GID of 0 is proving to be Very Hard.
Perhaps there is a reason for this.
I think it's time to face facts. Being part of a group called "wheel" is
no longer required for technical reasons, and even if it was there is no
need for it to have GID 0.
My plan is to:
* add all Wheel members to the LDAP group "wheel" (done)
* create a new LDAP group "wheelnew" with GID 512 (matches the RID for
Windows' default Adminstrator group)
* add all Wheel members to this group
* wait for the next reboot of Mussel/Motsugo
* change the default group of all wheel members to GID 512 instead of 0
* change all the files in /home and /away with GID 0 to GID 512
* remove the wheel LDAP group
* fix stuff that breaks
* remove the suexec hacks we have in place
Unless there are any objections or fixes for this plan, I am going ahead
in the next week or so.
David Adam
UCC Wheel Group Member
zanchey at ucc.gu.uwa.edu.au
More information about the tech
mailing list