From owner-freebsd-security@FreeBSD.ORG  Sat Dec 18 03:21:54 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EF8C416A4CE
	for <freebsd-security@freebsd.org>;
	Sat, 18 Dec 2004 03:21:54 +0000 (GMT)
Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5D1FE43D58
	for <freebsd-security@freebsd.org>;
	Sat, 18 Dec 2004 03:21:54 +0000 (GMT)	(envelope-from scott@g-it.ca)
Received: from [70.64.67.217] (S0106000393801c60.ss.shawcable.net
	[70.64.67.217])	by blue.gerhardt-it.com (Postfix) with ESMTP
	id 2121EFDC0; Fri, 17 Dec 2004 21:21:52 -0600 (CST)
In-Reply-To: <20041218022556.GA85192@wjv.com>
References: <20041217120138.7A89116A4D2@hub.freebsd.org>
	<20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net>
	<20041218022556.GA85192@wjv.com>
Mime-Version: 1.0 (Apple Message framework v619)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <F561011D-50A3-11D9-BD27-000393801C60@g-it.ca>
Content-Transfer-Encoding: 7bit
From: Scott Gerhardt <scott@g-it.ca>
Date: Fri, 17 Dec 2004 21:21:51 -0600
To: bv@wjv.com
X-Mailer: Apple Mail (2.619)
cc: freebsd-security@freebsd.org
Subject: Re: Strange command histories in hacked shell history
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Dec 2004 03:21:55 -0000

> I understand that after using Unix for about 2 decades.
> However in FreeBSD a user is supposed to be in the wheel group [if
> it exists] to be able to su to root.
>
> But if a person who is not in wheel su's to a user who is in wheel,
> then they can su to root - as the system sees them as the other
> user.  This means that the 'wheel' security really is nothing more
> than a 2 password method to get to root.
>
> If the EUID of the orignal invoker is checked, even if they su'ed
> to a person in wheel, then they should not be able to su to root.
>
> I'm asking why is this permitted, or alternatively why is putting a
> user in the wheel group supposed to make things secure, when in
> reality it just makes it seem more secure - as there is only one
> more password to crack.
>

This makes no sense.  If you can su to a user in the wheel group as an 
unprivileged user you need to know the users password and you also need 
to know roots password to su to root.  This seems pretty secure to me.

If you want to be more secure than this then use sudo.


--
Scott