Date: Fri, 8 Feb 2002 11:57:38 -0500 From: Beth Reid <breid@cyberguard.com> To: "'freebsd-security@FreeBSD.org'" <freebsd-security@FreeBSD.org> Cc: 'Bill Swingle' <unfurl@dub.net> Subject: RE: Questions regarding the wheel group Message-ID: <F767BDFE817ED411A32100D0B7694A9FAD1C04@mail.cybg.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/plain Bill, So sorry for the inconvenience. There was some formatting in the document which made readability easier. Hopefully freebsd-security can help me, thanx for suggestion. Here is the straight text rather than a word document attachment: ----- I am doing research on the wheel group and security and I had a couple of questions. I understand the purpose of wheel as follows: "Further protection is offered for the root account by using a special group called the wheel group. The wheel group adds greater security to a system by preventing users that are not in this group from using the su (super user) command to su to root." So, the majority of the time one would add a user to the wheel group and then give that person the root password so that these selected few users could become root when they "su". Makes sense and is a good feature. While doing my research, I wanted to know what other type of privileges a user would have if they belong to wheel. What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? Some thoughts: Why should the wheel group be used on any files? I would think from a security point of view, wheel should not be the default or primary group for root. This way if you are in the wheel group and have root's password, you can become root. If you are in the wheel group, but do not have root's password you should not gain any special privileges to any files or directories. You should be like any other user. My initial step was to check the permissions on all of the files to see if files with a group of "wheel" had permission bits where the group and other bits differed. Although this may not be exhaustive for every type of system, this is what I found on a FreeBSD Release 4.3 (without source) system. The following files had a group of wheel and had different group and other permissions. 1) The only 2 devices on my system where wheel had more permission than other were the following. I am not sure yet if there is a vulnerability here. crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/rsa0.ctl crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl 2) In the /proc directory there is a mem file for each process. This seems to me like a vulnerability. The odd thing is that on one similar FreeBSD 4.3 release system the group was kmem for all files in this directory, all other systems had the group for root as wheel. So two questions here: 1) why does the group differ on the two systems, and 2) why does the wheel group have read privilege on these mem files? -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem 3) This seems harmless. -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable 4) This seems like it could be a vulnerability. If someone is in wheel that shouldn't be, he could read these files and perhaps gather some useful information. in /var/log -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today 5) These directories allow wheel to poke around in them, but not someone in the other group. It seems like I wouldn't want the crash files exposed. The cron directory is odd because although wheel can poke around in cron, he can't get to the tabs subfolder. The backup folder seems harmless(?). Someone in wheel can remove files from /tmp. in/var drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash Again, I am under the impression that if you put someone in wheel you want him to be able to become root. It seems wheel acts more like a role mechanism where if you belong to it, you have an additional privilege. Should the additional privileges include access to the files above or just be the ability to execute the "su" command? In summary, if you could shed some light on any of these issues I would really appreciate it. If there are any documents you could point me to, I would be happy to do the research myself. I am looking for answers or information for the following: 1) What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? 2) Why should the wheel group be used on any files? 3) Why is the wheel group the primary group for root? 4) Items 1-5 for the files where group and other permissions differ. An explanation for these files and directories. Also the kmem issue is very strange. 5) Should being in the wheel group give any other privilege other than to execute the "su" command? -------- Thanx again and apologies for inconvenience. Beth -----Original Message----- From: Bill Swingle [mailto:unfurl@dub.net] Sent: Friday, February 08, 2002 11:50 AM To: Beth Reid Cc: 'security-officer@FreeBSD.org' Subject: Re: Questions regarding the wheel group Beth, Being that we're a unix security group most of us use microsoft products very rarely. If your questions are text only, why complicate the matter with an attachment? Secondly, most likely the forum that you're looking for is the freebsd-security mailing list. Check the freebsd.org website for more info. -Bill On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid wrote: > Hi > > Attached is document with a few questions regarding the wheel group and > security. If you have information, I would really appreciate it. If you > can't read the attachment for any reason, please let me know. > > Thanx! > > Beth Reid > CyberGuard Corporation > > phone: 954-958-3900 x3230 > email: breid@cyberguard.com > fax: 954-958-3901 > > > See the LX, a new, low-cost EAL4 certified firewall/VPN compact appliance! > http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html > > -- -=| Bill Swingle - <unfurl@(dub.net|freebsd.org)> -=| Every message PGP signed -=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=| "Computers are useless. They can only give you answers" Pablo Picasso ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/html Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3DUS-ASCII"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2650.12"> <TITLE>RE: Questions regarding the wheel group</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>Bill, </FONT> </P> <P><FONT SIZE=3D2>So sorry for the inconvenience.</FONT> <BR><FONT SIZE=3D2>There was some formatting in the document which made = readability easier.</FONT> </P> <P><FONT SIZE=3D2>Hopefully freebsd-security can help me, thanx for = suggestion.</FONT> <BR><FONT SIZE=3D2>Here is the straight text rather than a word = document attachment:</FONT> <BR><FONT SIZE=3D2>-----</FONT> <BR><FONT SIZE=3D2>I am doing research on the wheel group and security = and I had a couple of questions. </FONT> </P> <P><FONT SIZE=3D2>I understand the purpose of wheel as follows: = "Further protection is offered for the root account by using a = special group called the wheel group. The wheel group adds greater = security to a system by preventing users that are not in this group = from using the su (super user) command to su to root."</FONT></P> <P><FONT SIZE=3D2>So, the majority of the time one would add a user to = the wheel group and then give that person the root password so that = these selected few users could become root when they = "su". Makes sense and is a good feature.</FONT></P> <P><FONT SIZE=3D2>While doing my research, I wanted to know what other = type of privileges a user would have if they belong to wheel. = What if someone inadvertently added a user to the wheel group (and was = not given root's password)? Would a user in the wheel group = without the root password be able to compromise a system in any = way?</FONT></P> <P><FONT SIZE=3D2>Some thoughts: Why should the wheel group be used on = any files? I would think from a security point of view, wheel = should not be the default or primary group for root. This way if = you are in the wheel group and have root's password, you can become = root. If you are in the wheel group, but do not have root's = password you should not gain any special privileges to any files or = directories. You should be like any other user.</FONT></P> <P><FONT SIZE=3D2>My initial step was to check the permissions on all = of the files to see if files with a group of "wheel" had = permission bits where the group and other bits differed. Although = this may not be exhaustive for every type of system, this is what I = found on a FreeBSD Release 4.3 (without source) system. The = following files had a group of wheel and had different group and other = permissions.</FONT></P> <BR> <P><FONT SIZE=3D2>1) The only 2 devices on my system where wheel = had more permission than other were the following. I am not sure = yet if there is a vulnerability here.</FONT></P> <P><FONT SIZE=3D2>crw-rw---- 2 root = wheel 14, 0x20000000 Nov 30 09:09 = ./dev/rsa0.ctl</FONT> <BR><FONT SIZE=3D2>crw-rw---- 2 = root wheel 14, = 0x20000000 Nov 30 09:09 ./dev/sa0.ctl</FONT> </P> <P><FONT SIZE=3D2>2) In the /proc directory there is a mem file = for each process. This seems to me like a vulnerability. = The odd thing is that on one similar FreeBSD 4.3 release system the = group was kmem for all files in this directory, all other systems had = the group for root as wheel. So two questions here: 1) why does = the group differ on the two systems, and 2) why does the wheel group = have read privilege on these mem files?</FONT></P> <P><FONT SIZE=3D2>-rw-r----- 1 = root = wheel 0 Feb 6 12:27 = ./proc/317/mem</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 = root = wheel &= nbsp; 0 Feb 6 12:27 ./proc/318/mem</FONT> </P> <P><FONT SIZE=3D2>3) This seems harmless.</FONT> <BR><FONT SIZE=3D2>-r-xr-x--- 1 root = wheel 12424 Apr 21 2001 = ./usr/sbin/mptable</FONT> </P> <P><FONT SIZE=3D2>4) This seems like it could be a = vulnerability. If someone is in wheel that shouldn't be, he could = read these files and perhaps gather some useful information.</FONT></P> <P><FONT SIZE=3D2>in /var/log</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 root = wheel 5490 Feb 6 03:01 setuid.today</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 root = wheel 5490 Feb 5 03:01 setuid.yesterday</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 root = wheel 5464 Feb 2 03:01 dmesg.today</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 root = wheel 5527 Feb 1 03:01 dmesg.yesterday</FONT> <BR><FONT SIZE=3D2>-rw-r----- 1 root = wheel 136 Dec 1 03:02 mount.today</FONT> </P> <P><FONT SIZE=3D2>5) These directories allow wheel to poke around = in them, but not someone in the other group. It seems like I = wouldn't want the crash files exposed. The cron directory is odd = because although wheel can poke around in cron, he can't get to the = tabs subfolder. The backup folder seems harmless(?). Someone in = wheel can remove files from /tmp. </FONT></P> <P><FONT SIZE=3D2>in/var</FONT> <BR><FONT SIZE=3D2>drwxrwxrwt 3 root = wheel 512 Feb 6 03:01 tmp</FONT> <BR><FONT SIZE=3D2>drwxr-x--- 2 root = wheel 512 Feb 6 03:01 backups</FONT> <BR><FONT SIZE=3D2>drwxr-x--- 3 root = wheel 512 Nov 30 09:08 cron</FONT> <BR><FONT SIZE=3D2>drwxr-x--- 2 root = wheel 512 Nov 30 09:08 crash</FONT> </P> <P><FONT SIZE=3D2>Again, I am under the impression that if you put = someone in wheel you want him to be able to become root. It seems = wheel acts more like a role mechanism where if you belong to it, you = have an additional privilege. Should the additional privileges = include access to the files above or just be the ability to execute the = "su" command? </FONT></P> <P><FONT SIZE=3D2>In summary, if you could shed some light on any of = these issues I would really appreciate it. If there are any = documents you could point me to, I would be happy to do the research = myself.</FONT></P> <P><FONT SIZE=3D2>I am looking for answers or information for the = following:</FONT> </P> <P><FONT SIZE=3D2>1) What if someone = inadvertently added a user to the wheel group (and was not given root's = password)? Would a user in the wheel group without the root = password be able to compromise a system in any way?</FONT></P> <P><FONT SIZE=3D2>2) Why should the wheel = group be used on any files? </FONT> <BR><FONT SIZE=3D2>3) Why is the wheel = group the primary group for root? </FONT> <BR><FONT SIZE=3D2>4) Items 1-5 for the = files where group and other permissions differ. An explanation = for these files and directories. Also the kmem issue is very = strange.</FONT></P> <P><FONT SIZE=3D2>5) Should being in the = wheel group give any other privilege other than to execute the = "su" command?</FONT> <BR><FONT SIZE=3D2>--------</FONT> </P> <P><FONT SIZE=3D2>Thanx again and apologies for inconvenience.</FONT> <BR><FONT SIZE=3D2>Beth</FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Bill Swingle [<A HREF=3D"mailto:unfurl@dub.net"= >mailto:unfurl@dub.net</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Friday, February 08, 2002 11:50 AM</FONT> <BR><FONT SIZE=3D2>To: Beth Reid</FONT> <BR><FONT SIZE=3D2>Cc: 'security-officer@FreeBSD.org'</FONT> <BR><FONT SIZE=3D2>Subject: Re: Questions regarding the wheel = group</FONT> </P> <BR> <P><FONT SIZE=3D2>Beth,</FONT> </P> <P><FONT SIZE=3D2>Being that we're a unix security group most of us use = microsoft products</FONT> <BR><FONT SIZE=3D2>very rarely. If your questions are text only, why = complicate the matter</FONT> <BR><FONT SIZE=3D2>with an attachment?</FONT> </P> <P><FONT SIZE=3D2>Secondly, most likely the forum that you're looking = for is the</FONT> <BR><FONT SIZE=3D2>freebsd-security mailing list. Check the freebsd.org = website for more</FONT> <BR><FONT SIZE=3D2>info.</FONT> </P> <P><FONT SIZE=3D2>-Bill</FONT> </P> <P><FONT SIZE=3D2>On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid = wrote:</FONT> <BR><FONT SIZE=3D2>> Hi</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Attached is document with a few questions = regarding the wheel group and</FONT> <BR><FONT SIZE=3D2>> security. If you have information, I = would really appreciate it. If you</FONT> <BR><FONT SIZE=3D2>> can't read the attachment for any reason, = please let me know.</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Thanx!</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> Beth Reid</FONT> <BR><FONT SIZE=3D2>> CyberGuard Corporation</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> phone: 954-958-3900 x3230</FONT> <BR><FONT SIZE=3D2>> email: breid@cyberguard.com</FONT> <BR><FONT SIZE=3D2>> fax: 954-958-3901</FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> See the LX, a new, low-cost EAL4 certified = firewall/VPN compact appliance!</FONT> <BR><FONT SIZE=3D2>> <A = HREF=3D"http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html" = TARGET=3D"_blank">http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html= </A></FONT> <BR><FONT SIZE=3D2>> </FONT> <BR><FONT SIZE=3D2>> </FONT> </P> <BR> <BR> <P><FONT SIZE=3D2>-- </FONT> <BR><FONT SIZE=3D2>-=3D| Bill Swingle - = <unfurl@(dub.net|freebsd.org)></FONT> <BR><FONT SIZE=3D2>-=3D| Every message PGP signed</FONT> <BR><FONT SIZE=3D2>-=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E = 6414 5200 1C95 8E09 0223</FONT> <BR><FONT SIZE=3D2>-=3D| "Computers are useless. They can only = give you answers" Pablo Picasso </FONT> </P> <BR> <BR> </BODY> </HTML> ------_=_NextPart_001_01C1B0C1.B8EF151C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F767BDFE817ED411A32100D0B7694A9FAD1C04>