Date: Mon, 14 May 2001 12:29:09 -0500 From: Eric Anderson <anderson@centtech.com> To: "Oulman, Jamie" <JOulman@iphrase.com> Cc: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: Re: nfs mounts / su / yp Message-ID: <3B0015E5.2E1AED1B@centtech.com> References: <3BF50BC1C2B5D411A06700508BD94D61016197AB@exchange2.iphrase.com>
next in thread | previous in thread | raw e-mail | index | archive | help
If a user reboots their machine, goes into single user mode, and changes the local root password (and adds their username into the wheel group of course), then boots into multiuser mode, they can su to root, then su to any NIS user they desire, and do malicious things as that user. su'ing from root to any other user never asks for a password, so login.conf isn't used (right?).. Eric "Oulman, Jamie" wrote: > > I dont know about su -> nis user restriction. But the only users in the > wheel group should be able to su root. Also. Login.conf may be of some help. > > Cheers. > > -jamie > > -----Original Message----- > From: Eric Anderson [mailto:anderson@centtech.com] > Sent: Monday, May 14, 2001 9:13 AM > To: freebsd-security@FreeBSD.ORG > Subject: nfs mounts / su / yp > > I'm running FreeBSD client machines and mixed NFS servers. My clients > nfs mount (or automount) the shares from the servers, and all are using > NIS for login/password authentication. Home areas are NFS mounted > also. My question is, if a user has (or gets) root on their desktop > machine (FreeBSD 4.x), it allows them to su to any NIS user, and have > access to anything as them, etc.. We often have users log in to other > users machines, and change desks, etc. So I can't only allow one or two > users to log in to a particular box (this would be a nightmare, as I > have hundreds of machines to work with). It's more like an su > restriction set that needs to be created. Like, only certain users can > su to root.. and root can only su to the user that it originally su'd > from, if any. I'm just curious what anyone else might be doign to solve > this problem, since it allows users to do dangerous things as other > users.. > > Thanks.. > Eric > > -- > ---------------------------------------------------------------------------- > --- > Eric Anderson anderson@centtech.com Centaur Technology (512) > 418-5792 > The idea is to die young as late as possible. > ---------------------------------------------------------------------------- > --- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 The idea is to die young as late as possible. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B0015E5.2E1AED1B>