In article <20041211022309.GV26258@mewburn.net>,
Luke Mewburn <lukem@NetBSD.org> wrote:
>-=-=-=-=-=-
>
>On Fri, Dec 10, 2004 at 07:28:01PM -0500, Lord Clark Frazier Hale I wrote:
>  | Hello all,
>  | 
>  | I hope I'm not asking a redundant question.  I cannot seem to find an 
>  | answer to this.
>  | 
>  | I would like to use netgroups to add users to a pre-existing group in 
>  | /etc/group.  I would like to do, even though this doesn't work is
>  | 
>  | wheel:*:0:root,+@admins
>  | 
>  | adding all users in the admin netgroup to wheel.
>  | 
>  | Is there a way for me to do this, or something similar?
>
>Not really.
>
>The '+/- compat syntax' is triggered off the first character of the
>line, not on each member group.  There would be large increases in
>complexity in libc/getgrent.c for supporting the latter.
>
>
>  | Is it wise?
>
>I'm tempted to answer "not really" here too.
>You _could_ use
>	+wheel:*::
>	wheel:*:0:root
>and set wheel to the full admins entry in whereever you get
>passwd_compat from (nis, dns, ...), but I'm not comfortable
>recommended that as good sysadmin practice.
>
>You could replacements for su(1) that do not use "wheel" as
>the access control mechanism (e.g., priv, sudo)

Alternatively you could read the man page for su, specially
the following parts:

     SU_ROOTAUTH        If defined, it specifies a group whose members are
                        allowed to become ``root'' by supplying their own
                        password instead of the ``root'' one.

     SU_INDIRECT_GROUP  If defined, the SU_GROUP and SU_ROOTAUTH groups are
                        treated as indirect groups.  The group members of
                        those two groups are treated as groups themselves.

I don't like su_indirect_group myself, but I like and use su_rootauth.
christos