Date: Tue, 3 Apr 2001 13:51:21 -0500 From: Mike Meyer <mwm@mired.org> To: "Matthew Emmerton" <matt@gsicomp.on.ca> Cc: "Kherry Zamore" <dknj@dknj.org>, <freebsd-stable@FreeBSD.ORG>, <freebsd-security@FreeBSD.ORG> Subject: Re: su change? Message-ID: <15050.7081.662834.357741@guru.mired.org> In-Reply-To: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Matthew Emmerton <matt@gsicomp.on.ca> types: > > According to su.c, if the user you are changing to does not have a valid > > shell, su complains and exits. A valid thing to do in today's security > > conscience society. Now, lets say you want to become root to fix this > > invalid shell problem.. su's nature is to complain and exit. The fix is > > rather simple, somewhere around line 310 in su.c is: > > > > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > I disagree. The root account is an account that needs to have the highest > number of security checks present. If you're swift enough to change root's > shell to something non-standard and forget to update /etc/shells, then > having to drop to single user mode is suitable punishment. After all, > playing with the root user is like playing with fire -- sooner or later > you're going to get burned. The fix he suggested isn't for the case of root's shell not being in /etc/shells, it's for the case of root's shell not being an executable. If root shell isn't in /etc/shells, then stock su with no arguments will work just fine - you'll just get the non-standard shell. If root's shell isn't executable, then su with no flags fails because the exec of the shell fails. If you try and use the "-m" flag to su and start your shell, the quoted code causes a failure. Only root (the "&& ruid" test) is allowed to su to an account with a non-standard shell without using the non-standard shell. If you hit that case, and don't have a root shell around, you're pretty much hosed. You have to power cycle to get the machine to a state where this can be fixed, whether that means just booting single-user, or booting from an alternate media of some kind, or something really extreme. Sudo can probably be configured to solve the problem as well. This just expands the current policy of "Only root can get a standard shell for an account with a non-standard shell" to include the case where the account is root. I think it would be better if the code showed that, though: if (!chshell(pwd->pwd_shell) && ruid && pwd->pw_uid) errx(1, "permission denied (shell)."); but that's just me. On the other hand, I advise against changing root shell, and this lends weight to that advice. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15050.7081.662834.357741>