Long time ago I decided to protect my system by allowing *ONLY* users in wheel group to su to root. This allows to protect the system. Regardless where you know the root password or not - you can not su as long as system administrator does not put you into wheel group. As I know this is the default behaviour of FreeBSD. In redhat you do it by uncommenting line in /etc/pam.d/su # Uncomment the following line to require a user to be in the "wheel" group. auth required /lib/security/$ISA/pam_wheel.so use_uid This protects both su and kdesu. What do you think? This is useless - it does not protect the system at all, as I've thought for a long time. System-config-users utility - a little program to manage users has *NOTHING*, not even a little mention anywhere, that it breaks the security. Anyone who knows the root password logs in as regular user, by ssh. Using X forward, executes system-config-users, enters the root password and does ANYTHING he wants to the system. In particular, he adds himself to wheel group and su's to root. While the system administrator sleeps well knowing that he can not su because he's not in wheel group ^^#$#$&^#^$%^
