From owner-freebsd-security Wed Mar 27 8:44:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from casbah.it.northwestern.edu (casbah.it.northwestern.edu [129.105.16.52]) by hub.freebsd.org (Postfix) with ESMTP id CE13F37B400 for ; Wed, 27 Mar 2002 08:44:45 -0800 (PST) Received: (from mailnull@localhost) by casbah.it.northwestern.edu (8.8.7/8.8.7) id KAA17657; Wed, 27 Mar 2002 10:44:38 -0600 (CST) Received: from GLACIER.northwestern.edu (glacier.tss.northwestern.edu [129.105.188.51]) by casbah.acns.nwu.edu via smap (V2.0) id xma016987; Wed, 27 Mar 02 10:43:56 -0600 Message-Id: <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> X-Sender: dpalmer@casbah.it.northwestern.edu (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 27 Mar 2002 10:43:33 -0600 To: Andrew Kenneth Milton From: Damien Palmer Subject: Re: Question on su / possible hole Cc: security@FreeBSD.ORG In-Reply-To: <20020328003506.F40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: >So remove world execute access from su, make an su-users group and chgrp >su with that group ? Since su already belongs to the wheel group, and we are trying to restrict su access to people in the wheel group, wouldn't it be simpler to just chmod the command, so only the owner and the group have executable permissions on it, and leave it in the wheel group? Or is there another reasoning behind creating a new group that I am not seeing? -Damien Palmer To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message