Wheel - Revision history

Jimbo: Reverted edits by 89.19.172.22 (Talk); changed back to last version by Jimbo

2008-12-17T01:45:02Z

Reverted edits by 89.19.172.22 (Talk); changed back to last version by Jimbo

Jimbo at 15:54, 11 September 2004

2004-09-11T15:54:08Z

Jimbo at 15:53, 11 September 2004

2004-09-11T15:53:08Z

Jimbo at 15:49, 11 September 2004

2004-09-11T15:49:34Z

Jimbo at 15:45, 11 September 2004

2004-09-11T15:45:29Z

Jimbo at 06:22, 25 August 2004

2004-08-25T06:22:36Z

Jimbo at 06:21, 25 August 2004

2004-08-25T06:21:07Z

New page

''wheel'' is a special user group. By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.

[[Category:FreeBSD Terminology]]

@@ Line 3: / Line 3: @@
 If you allow direct root login over [[ssh]], it becomes possible for [[script kiddie | script kiddies]] to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account.  With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.
-With FreeBSD's use of the special [[wheel]] group to limit the use of [[su]], security is enhanced even more by ensuring that the attacker would already need to know not only some random username, but a username that is a member of [[wheel]].  This also helps mitigate the liability of potentially having clueless shell users who may pick "password" or something equally clueless as their password; even if a [[script kiddie | kiddie]] gains shell access by using such an ill-handled account, they at least won't be immediately able to proceed to attacking your root account because your clueless hacked user wasn't a member of [[wheel]].
+With FreeBSD's use of the special [[wheel]] group to limit the use of [[su]], security is enhanced even more by ensuring that the attacker would already need to know not only some random username, but a username that is a member of [[wheel]].  This also helps mitigate the liability of potentially having clueless shell users who may pick "password" or something equally obvious as their password; even if a [[script kiddie | kiddie]] gains shell access by using such an ill-handled account, they at least won't be immediately able to proceed to attacking your root account because your clueless hacked user wasn't a member of [[wheel]].
 It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefit inherent in this setup.
 [[Category:FreeBSD Terminology]]

@@ Line 5: / Line 5: @@
 With FreeBSD's use of the special [[wheel]] group to limit the use of [[su]], security is enhanced even more by ensuring that the attacker would already need to know not only some random username, but a username that is a member of [[wheel]].  This also helps mitigate the liability of potentially having clueless shell users who may pick "password" or something equally clueless as their password; even if a [[script kiddie | kiddie]] gains shell access by using such an ill-handled account, they at least won't be immediately able to proceed to attacking your root account because your clueless hacked user wasn't a member of [[wheel]].
-It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefits inherent in this setup.
+It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefit inherent in this setup.
 [[Category:FreeBSD Terminology]]

@@ Line 1: / Line 1: @@
-'''wheel''' is a special user group.  By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group.  This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.
+'''wheel''' is a special user group.  By default, FreeBSD does not allow direct root login from remote locations, and does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group.  This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.
-If you allow direct root login over [[ssh]], it becomes possible for [[script kiddie | script kiddies]] to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account.  With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account that is a member of [[wheel]] before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.
+If you allow direct root login over [[ssh]], it becomes possible for [[script kiddie | script kiddies]] to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account.  With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.
 It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefits inherent in this setup.
 [[Category:FreeBSD Terminology]]

← Older revision		Revision as of 15:45, 11 September 2004
Line 1:		Line 1:
	'''wheel''' is a special user group. By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.		'''wheel''' is a special user group. By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.
		+
		+	If you allow direct root login over [[ssh]], it becomes possible for [[script kiddie \| script kiddies]] to use automated attack tools like John the Ripper to brute-force or dictionary-attack the password to the root account. With direct root login disabled, your exposure is greatly decreased because any potential attacker would need to already know the name of a user account that is a member of [[wheel]] before even attempting to brute-force a password - and even then, would have to go through the brute force process AGAIN, this time while interactively logged in, in order to get the root password.
		+
		+	It is highly recommended that you do NOT make any hyper-obvious names like "administrator" members of [[wheel]], or you will defang much (though not all) of the security benefits inherent in this setup.

	[[Category:FreeBSD Terminology]]		[[Category:FreeBSD Terminology]]

← Older revision		Revision as of 06:22, 25 August 2004
Line 1:		Line 1:
−	''wheel'' is a special user group. By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.	+	'''wheel''' is a special user group. By default, FreeBSD does not allow any user to [[su]] to [[root]] - even if the person operating that user account knows the root password - unless that user is a member of the wheel group. This behavior can be changed, but it is very strongly recommended to leave it as-is; it provides a definite boost to security to only allow [[su]] privileges to root from a select few accounts.

	[[Category:FreeBSD Terminology]]		[[Category:FreeBSD Terminology]]