From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 01:33:27 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CEB916A4CE for ; Sun, 19 Dec 2004 01:33:27 +0000 (GMT) Received: from metafocus.net (sb0-cf9a64a2.dsl.impulse.net [207.154.100.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAB3743D1D for ; Sun, 19 Dec 2004 01:33:26 +0000 (GMT) (envelope-from mudman@metafocus.net) Received: from metafocus.net (localhost [127.0.0.1]) by metafocus.net (8.13.1/8.13.1) with ESMTP id iBJ1Zai6023148; Sat, 18 Dec 2004 17:35:36 -0800 (PST) (envelope-from mudman@metafocus.net) Received: from localhost (mudman@localhost) by metafocus.net (8.13.1/8.13.1/Submit) with ESMTP id iBJ1ZZIS023145; Sat, 18 Dec 2004 17:35:35 -0800 (PST) (envelope-from mudman@metafocus.net) Date: Sat, 18 Dec 2004 17:35:35 -0800 (PST) From: Dave To: Craig Edwards In-Reply-To: <41C41869.5040408@winbot.co.uk> Message-ID: <20041218173044.K23128@metafocus.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org cc: estover@nativenerds.com Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 01:33:27 -0000 > You could change the permissions on the su binary, so that only users in the wheel group can even > execute su. that way, when a non-wheel user attempts to su to a user in the wheel group, they simply > get permission denied. This is a really good idea. I decided to try it as root and chmod gave me chmod: su: Operation Not Permitted! The nerve! I'll have to have a look at that more carefully later :) As a side note, I think Bill's point about 2 passwords to break is pretty strong in my point of view. Just for simplicity's sake (in both security and in design), "the su stack" really shouldn't be any larger than 1. No su'ing twice, or N number of times. Hmm, I wonder if there is an option for setting that. I suppose someone might have a purpose to, but if they really need to be doing that, I think they have a problem in their own designs.