From owner-freebsd-security Wed Mar 27 8:58: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id C864837B41F for ; Wed, 27 Mar 2002 08:57:31 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2RGvMQ11623; Thu, 28 Mar 2002 02:57:22 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 02:57:22 +1000 From: Andrew Kenneth Milton To: Ceri Cc: Andrew Kenneth Milton , Damien Palmer , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328025722.J40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au> <20020327165335.GA61997@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327165335.GA61997@submonkey.net>; from setantae@submonkey.net on Wed, Mar 27, 2002 at 04:53:35PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Ceri ]---------------------- | On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: | > +-------[ Damien Palmer ]---------------------- | > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: | > | >So remove world execute access from su, make an su-users group and chgrp | > | >su with that group ? | > | | > | Since su already belongs to the wheel group, and we are trying to restrict | > | su access to people in the wheel group, wouldn't it be simpler to just | > | chmod the command, so only the owner and the group have executable | > | permissions on it, and leave it in the wheel group? Or is there another | > | reasoning behind creating a new group that I am not seeing? | > | > Neatness? | | If only wheel has execute access on su, then only people in wheel can su. | Note that anyone can use su, they just can't su to root if they're not in | wheel. | | Creating a new group wouldn't work anyway. | su explicitly checks that the user calling it is in a group | with gid=0, otherwise known as wheel. New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root if noWheelUser1 can't execute su they can't get to wheelUser2 I'm just providing solutions, I'm not going to try to provide a rationalisation for why it's a problem d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message