[tech] Moving Wheel group away from GID 0
David Adam
zanchey at ucc.gu.uwa.edu.au
Fri Feb 9 10:49:43 AWST 2018
On Tue, 27 Jun 2017, David Adam wrote:
> Occasionally, I hear people say "everyone I ask about this problem tells
> me the same thing!" Usually there is a reason for that.
>
> For the last few years, we've been fighting with various bits of software
> that don't like the idea that our wheel members have their primary group
> set to the root GID of 0. In our tests of Active Directory/Samba, getting
> users to belong to a group with a GID of 0 is proving to be Very Hard.
> Perhaps there is a reason for this.
>
> I think it's time to face facts. Being part of a group called "wheel" is
> no longer required for technical reasons, and even if it was there is no
> need for it to have GID 0.
>
> My plan is to:
> * add all Wheel members to the LDAP group "wheel" (done)
> * create a new LDAP group "wheelnew" with GID 512 (matches the RID for
> Windows' default Adminstrator group)
> * add all Wheel members to this group
> * wait for the next reboot of Mussel/Motsugo
> * change the default group of all wheel members to GID 512 instead of 0
> * change all the files in /home and /away with GID 0 to GID 512
> * remove the wheel LDAP group
> * fix stuff that breaks
> * remove the suexec hacks we have in place
>
> Unless there are any objections or fixes for this plan, I am going ahead
> in the next week or so.
I've made some headway on this plan - up to the fifth point, with the
sixth in the next day or two.
All Wheel accounts now have an identity similar to this:
uid=11251(zanchey) gid=512(wheelnew) groups=512(wheelnew),0(wheel),...
[DAA]
More information about the tech
mailing list