Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Mar 2002 11:39:00 -0800
From:      Greg Shenaut <greg@bogslab.ucdavis.edu>
To:        security@FreeBSD.ORG
Subject:   Re: Question on su / possible hole 
Message-ID:  <200203271939.g2RJd0965401@thistle.bogs.org>
In-Reply-To: Your message of "Wed, 27 Mar 2002 11:44:30 MST." <15522.4878.525099.369944@caddis.yogotech.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
In message <15522.4878.525099.369944@caddis.yogotech.com>, Nate Williams cleopede:
>> What I'm tyring to get across is that perhaps the funtionality of
>> su might be changed to look at who the user really is that is
>> invoking the su to root and permit only su to root for those in
>> wheel, while leaving the su to anyone else available for normal
>> users.
>
>Then restrict su, as others have pointed out.  There should be *NO*
>reason on your Colo box for anyone to use su, other than to gain root,
>correct?

Someone might want to use it to become another user besides root--this
is something I do from time to time--but the question is, should
ordinary (i.e., nonwheel users) be allowed to do that even if they
know the password?  I think perhaps not, so I add my vote for making
/usr/bin/su mode 4554.

However, I point out that if you know the password you can always
do "{telnet,ssh} -l wheeluser localhost" which is much the same
from the power perspective as "su wheeluser".

Greg Shenaut

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203271939.g2RJd0965401>