Date: Wed, 27 Mar 2002 11:39:00 -0800 From: Greg Shenaut <greg@bogslab.ucdavis.edu> To: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <200203271939.g2RJd0965401@thistle.bogs.org> In-Reply-To: Your message of "Wed, 27 Mar 2002 11:44:30 MST." <15522.4878.525099.369944@caddis.yogotech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <15522.4878.525099.369944@caddis.yogotech.com>, Nate Williams cleopede:
>> What I'm tyring to get across is that perhaps the funtionality of
>> su might be changed to look at who the user really is that is
>> invoking the su to root and permit only su to root for those in
>> wheel, while leaving the su to anyone else available for normal
>> users.
>
>Then restrict su, as others have pointed out. There should be *NO*
>reason on your Colo box for anyone to use su, other than to gain root,
>correct?
Someone might want to use it to become another user besides root--this
is something I do from time to time--but the question is, should
ordinary (i.e., nonwheel users) be allowed to do that even if they
know the password? I think perhaps not, so I add my vote for making
/usr/bin/su mode 4554.
However, I point out that if you know the password you can always
do "{telnet,ssh} -l wheeluser localhost" which is much the same
from the power perspective as "su wheeluser".
Greg Shenaut
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203271939.g2RJd0965401>