From owner-freebsd-security  Wed Mar 27 11:38:56 2002
Delivered-To: freebsd-security@freebsd.org
Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34])
	by hub.freebsd.org (Postfix) with ESMTP id 86E2537B417
	for <security@FreeBSD.ORG>; Wed, 27 Mar 2002 11:38:51 -0800 (PST)
Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61])
	by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id LAA55689
	for <security@FreeBSD.ORG>; Wed, 27 Mar 2002 11:38:44 -0800 (PST)
	(envelope-from greg@bogslab.ucdavis.edu)
Received: from thistle.bogs.org (localhost [127.0.0.1])
	by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id g2RJd0965401
	for <security@FreeBSD.ORG>; Wed, 27 Mar 2002 11:39:00 -0800 (PST)
	(envelope-from greg@thistle.bogs.org)
Message-Id: <200203271939.g2RJd0965401@thistle.bogs.org>
To: security@FreeBSD.ORG
X-To: Nate Williams <nate@yogotech.com>
X-Sender: owner-freebsd-security@FreeBSD.ORG 
Subject: Re: Question on su / possible hole 
In-reply-to: Your message of "Wed, 27 Mar 2002 11:44:30 MST."
             <15522.4878.525099.369944@caddis.yogotech.com> 
Reply-To: gkshenaut@ucdavis.edu
Date: Wed, 27 Mar 2002 11:39:00 -0800
From: Greg Shenaut <greg@bogslab.ucdavis.edu>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

In message <15522.4878.525099.369944@caddis.yogotech.com>, Nate Williams cleopede:
>> What I'm tyring to get across is that perhaps the funtionality of
>> su might be changed to look at who the user really is that is
>> invoking the su to root and permit only su to root for those in
>> wheel, while leaving the su to anyone else available for normal
>> users.
>
>Then restrict su, as others have pointed out.  There should be *NO*
>reason on your Colo box for anyone to use su, other than to gain root,
>correct?

Someone might want to use it to become another user besides root--this
is something I do from time to time--but the question is, should
ordinary (i.e., nonwheel users) be allowed to do that even if they
know the password?  I think perhaps not, so I add my vote for making
/usr/bin/su mode 4554.

However, I point out that if you know the password you can always
do "{telnet,ssh} -l wheeluser localhost" which is much the same
from the power perspective as "su wheeluser".

Greg Shenaut

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message