Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 28 Nov 1995 19:10:38 -0700 (MST)
From:      Terry Lambert <terry@lambert.org>
To:        nate@rocky.sri.MT.net (Nate Williams)
Cc:        terry@lambert.org, joerg_wunsch@uriah.heep.sax.de, freebsd-current@FreeBSD.org
Subject:   Re: schg flag on make world in -CURRENT
Message-ID:  <199511290210.TAA26584@phaeton.artisoft.com>
In-Reply-To: <199511282344.QAA18335@rocky.sri.MT.net> from "Nate Williams" at Nov 28, 95 04:44:07 pm

next in thread | previous in thread | raw e-mail | index | archive | help
> WHAT?!?  Terry, you're losing it.
> 
> Do you understand what the 'secure' flag means?  It means that root is
> allowed to directly login via that tty/pty.  So, if you have folks who
> need to come in remotely in your scheme, you need to make *ALL* of your
> connections secure, which opens up a huge can of worms.

Only if they need to su to root after they come in.  What normal user
comes in from outside the firewall and su's anyway?

It's silly to type a root password over an insecure line.  That's the
point of not allowing it.  Even if the potential cracker types it
right, he types it wrong.

> The current behavior is a mix of usefulness plus security.  The cracker
> needs to break into an account which is in the 'wheel' group, and then
> they need to crack the root passwd w/out raising suspicions in the
> logfiles while every failed attempt to 'su' to root is logged to the
> screen, the logfile, and any user already su'd to root on the box.

Logfiles go away after your cracker in, as do the console contents.  And
since you can tell other users su'ed onto the machine (as well as anyone
else syslog feels free to bitch at) without arousing suspicions.

All your cracker has to do is watch the wire traffic to get your root
password, and use it, if you allow it to be used over the wire in the
first place.

Setting pty's secure is a silly thing to do in any situation unless, as
is allowing user's to su from unsecure lines.


					Terry Lambert
					terry@lambert.org
---
Any opinions in this posting are my own and not those of my present
or previous employers.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199511290210.TAA26584>