if su:ing to root, check that user is a member of group "wheel"

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@16528 ec53bebd-3082-4978-b11e-865c3cabbd6b

appl/su/su.1

@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 - 2004 Kungliga Tekniska H<>gskolan
+.\" Copyright (c) 2003 - 2006 Kungliga Tekniska H<>gskolan
 .\" (Royal Institute of Technology, Stockholm, Sweden). 
 .\" All rights reserved. 
 .\"
@@ -31,7 +31,7 @@
 .\" 
 .\" $Id$
 .\"
-.Dd March 23, 2004
+.Dd January 12, 2006
 .Dt SU 1
 .Os HEIMDAL
 .Sh NAME
@@ -59,24 +59,43 @@ user wanting to change effective UID is present in a file named
 .Pa .k5login
 in the target user id's home directory
 .Pp
-A special case exists for
-.Ql root
-where roots
+A special case exists where 
+.Ql root Ap s
 .Pa ~/.k5login
-needs to contain a row like:
-.Qo
-user/root@REALM
-.Qc
-for su to succed.  
+needs to contain an entry for:
+.Ql user Ns / Ns Ao instance Ac Ns @ Ns REALM
+for
+.Nm su
+to succed (where 
+.Aq instance
+is
+.Ql root
+unless changed with 
+.Fl i ) .
 .Pp
 In the absence of either an entry for current user in said file or
-other problems like missing host/hostname@REALM keys in systems
+other problems like missing 
+.Ql host/hostname@REALM
+keys in the system's
 keytab, or user typing the wrong password, 
 .Nm su
 will fall back to traditional
 .Pa /etc/passwd
 authentication.
 .Pp
+When using
+.Pa /etc/passwd
+authentication,
+.Nm su 
+allows
+.Ql root
+access only to members of the group
+.Ql wheel ,
+or to any user (with knowledge of the
+.Ql root
+password) if that group
+does not exist, or has no members.
+.Pp
 The options are as follows:
 .Bl -item -width Ds
 .It
@@ -102,11 +121,3 @@ root instance to use.
 .Fl -command= Ns Ar command
 command to execute.
 .El
-.Pp
-.Sh BUGS
-Note that on BSD systems, where system 
-.Nm su
-honors wheel group and denies 
-.Nm su
-to others, all users may become root if they know the root password,
-regardless of wheel membership.