From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 04:14:24 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5919E16A4CE for ; Sat, 18 Dec 2004 04:14:24 +0000 (GMT) Received: from pop-a065d01.pas.sa.earthlink.net (pop-a065d01.pas.sa.earthlink.net [207.217.121.248]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C7AC43D2D for ; Sat, 18 Dec 2004 04:14:24 +0000 (GMT) (envelope-from mnsan11@earthlink.net) Received: from h-68-164-10-138.chcgilgm.dynamic.covad.net ([68.164.10.138] helo=earthlink.net) by pop-a065d01.pas.sa.earthlink.net with esmtp (Exim 3.33 #1) id 1CfVyy-0001Ob-00; Fri, 17 Dec 2004 20:14:16 -0800 Message-ID: <41C3AE7B.2040002@earthlink.net> Date: Fri, 17 Dec 2004 22:13:47 -0600 From: Elvedin Trnjanin User-Agent: Mozilla Thunderbird 0.5 (Windows/20040207) X-Accept-Language: en-us, en MIME-Version: 1.0 To: bv@wjv.com References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> In-Reply-To: <20041218022556.GA85192@wjv.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 04:14:24 -0000 Bill Vermillion wrote: > I understand that after using Unix for about 2 decades. > >However in FreeBSD a user is supposed to be in the wheel group [if >it exists] to be able to su to root. > >But if a person who is not in wheel su's to a user who is in wheel, >then they can su to root - as the system sees them as the other >user. > >This means that the 'wheel' security really is nothing more >than a 2 password method to get to root. > > > Precisely. If you don't like this then the way around is to only allow a certain group access to su and none for everyone else. >If the EUID of the orignal invoker is checked, even if they su'ed >to a person in wheel, then they should not be able to su to root. > >I'm asking why is this permitted, or alternatively why is putting a >user in the wheel group supposed to make things secure, when in >reality it just makes it seem more secure - as there is only one >more password to crack. > > One more password to crack is more time which means a better chance of catching the cracker in the act. Although I don't know why exactly the authors of su did that the way they did but my first and best guess would be convenience. The two password method is better than a new login session each time you want to get to root. Second best guess would be is that they didn't figure out that issue or at least think much of it. -- --- Elvedin Trnjanin http://www.ods.org