From owner-freebsd-questions  Wed Oct  4 21:36:49 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from zeus.host4u.net (zeus.host4u.net [216.71.64.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7E25937B502
	for <questions@FreeBSD.ORG>; Wed,  4 Oct 2000 21:36:45 -0700 (PDT)
Received: from lola (adsl-63-206-193-145.dsl.snfc21.pacbell.net [63.206.193.145])
	by zeus.host4u.net (8.8.5/8.8.5) with SMTP id XAA03447
	for <questions@FreeBSD.ORG>; Wed, 4 Oct 2000 23:21:56 -0500
Message-ID: <002001c02e85$f0937ea0$91c1ce3f@lola>
From: "Robert Shea" <robert.shea@onlinecables.com>
To: <questions@FreeBSD.ORG>
References: <14811.60575.915025.704286@guru.mired.org>
Subject: Re: Securing SU
Date: Wed, 4 Oct 2000 21:37:15 -0700
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4133.2400
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG



> Dan Mahoney, System Admin writes:
> > On Wed, 4 Oct 2000, roman wrote:
> >
> > > > I was wondering if there was a way to configure su so that it would
> > > > disallow a user access if they're telnetted in.  (but, say, allow
them if
> > > > they have sshed in).
> > > what about sudo?
> > > better than su, because you get to control who gets to do what as
root.
> > Oh, I have four people who have root, and need it.  My web guy, my cgi
> > guy, myself and my assistant...All of us need full root, and all are
> > trusted (in fact one is a cousin and one is a fiancee).
>
> Looks like a web server. If it's internet and not intranet, turning
> off telnet should have been before it went production. I wouldn't be
> surprised if those were the only four people who needed access to the
> machine, which makes that straightforward.
>
> Since I'm on the soapbox, I have to wonder why the web & cgi guys need
> root access. The web stuff should all be owned by some user (not root)
> (or group). Access to that user (group) should be all they need -
> except for stopping and starting the server (damn Unix "privileged
> ports"). The latter is an ideal use for sudo. I've set up this kind of
> thing for outside contractors doing development on boxes I was
> responsible for. Yes, they bitched about it, and yes, it was a bit
> more work for me to set up - but I slept better at night knowing the
> clowns in question could only screw up *their* stuff.
>
> <mike

I agree... the web guy and the cgi guy don't need root access at all. to
solve the starting/stopping the server thing... either run the server on
port 8000 (or such) and map it to 80... or just write a suid script to do it
for you. Remember... no one is 100% secure in their practices (as evidence
by the telnet/su problem in the first place) so as you increase you number
of super users you consequently greatly decrease your security. (as mistakes
in this case are 4 times more likely then having a single root user)

Robert Shea
"Ophelia you made me cry, guess that's why I learned to swim."



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message