From owner-freebsd-security  Wed Mar 27  8:53:59 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162])
	by hub.freebsd.org (Postfix) with ESMTP id 496A537B41A
	for <security@freebsd.org>; Wed, 27 Mar 2002 08:53:42 -0800 (PST)
Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1)
	id 16qGg3-000GB6-00; Wed, 27 Mar 2002 16:53:35 +0000
Date: Wed, 27 Mar 2002 16:53:35 +0000
From: Ceri <setantae@submonkey.net>
To: Andrew Kenneth Milton <akm@theinternet.com.au>
Cc: Damien Palmer <dpalmer@northwestern.edu>, security@FreeBSD.ORG
Subject: Re: Question on su / possible hole
Message-ID: <20020327165335.GA61997@submonkey.net>
References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020328024827.I40004@zeus.theinternet.com.au>
User-Agent: Mutt/1.3.28i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote:
> +-------[ Damien Palmer ]----------------------
> | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote:
> | >So remove world execute access from su, make an su-users group and chgrp
> | >su with that group ?
> | 
> | Since su already belongs to the wheel group, and we are trying to restrict 
> | su access to people in the wheel group, wouldn't it be simpler to just 
> | chmod the command, so only the owner and the group have executable 
> | permissions on it, and leave it in the wheel group?  Or is there another 
> | reasoning behind creating a new group that I am not seeing?
> 
> Neatness?

If only wheel has execute access on su, then only people in wheel can su.
Note that anyone can use su, they just can't su to root if they're not in
wheel.

Creating a new group wouldn't work anyway.
su explicitly checks that the user calling it is in a group
with gid=0, otherwise known as wheel.

Ceri

-- 
keep a mild groove on

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message