Date: Wed, 27 Mar 2002 09:57:07 -0500 From: Bill Vermillion <bv@wjv.com> To: Andrew Kenneth Milton <akm@theinternet.com.au> Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327145706.GC30556@wjv.com> In-Reply-To: <20020328003506.F40004@zeus.theinternet.com.au> References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 12:35:06AM +1000, Andrew Kenneth Milton thus spoke: > +-------[ Bill Vermillion ]---------------------- > | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: > | > +-------[ Bill Vermillion ]---------------------- > | > | > | > | However I have found that if non-wheel-group user can su to a > | > | user who has wheel privledges - the the non-wheel user can su to > | > | root. > | > | > So they can simply login as the user with wheel access and circumvent > | > any further checking anyway. They'd need the password after all. > | > | They do need the password of course. But if you expand the wheel > | concept to the point that you can only become root if you are a > | named user in this group - IOW a trusted user - then the system > | would be more secure. > So remove world execute access from su, make an su-users group and > chgrp su with that group ? > I think you have the tools you need to do what you want d8) Now why didn't I think of that. Thanks. Bill -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020327145706.GC30556>