From owner-freebsd-security Wed Mar 27 11:38:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 86E2537B417 for ; Wed, 27 Mar 2002 11:38:51 -0800 (PST) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id LAA55689 for ; Wed, 27 Mar 2002 11:38:44 -0800 (PST) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id g2RJd0965401 for ; Wed, 27 Mar 2002 11:39:00 -0800 (PST) (envelope-from greg@thistle.bogs.org) Message-Id: <200203271939.g2RJd0965401@thistle.bogs.org> To: security@FreeBSD.ORG X-To: Nate Williams X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: Question on su / possible hole In-reply-to: Your message of "Wed, 27 Mar 2002 11:44:30 MST." <15522.4878.525099.369944@caddis.yogotech.com> Reply-To: gkshenaut@ucdavis.edu Date: Wed, 27 Mar 2002 11:39:00 -0800 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <15522.4878.525099.369944@caddis.yogotech.com>, Nate Williams cleopede: >> What I'm tyring to get across is that perhaps the funtionality of >> su might be changed to look at who the user really is that is >> invoking the su to root and permit only su to root for those in >> wheel, while leaving the su to anyone else available for normal >> users. > >Then restrict su, as others have pointed out. There should be *NO* >reason on your Colo box for anyone to use su, other than to gain root, >correct? Someone might want to use it to become another user besides root--this is something I do from time to time--but the question is, should ordinary (i.e., nonwheel users) be allowed to do that even if they know the password? I think perhaps not, so I add my vote for making /usr/bin/su mode 4554. However, I point out that if you know the password you can always do "{telnet,ssh} -l wheeluser localhost" which is much the same from the power perspective as "su wheeluser". Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message