Date: Sat, 18 Dec 2004 00:14:39 -0700 From: Ed Stover <estover@nativenerds.com> To: Elvedin Trnjanin <mnsan11@earthlink.net>, bv@wjv.com Cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history Message-ID: <1103354079.16723.6.camel@red.nativenerds.com> In-Reply-To: <41C3AE7B.2040002@earthlink.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <41C3AE7B.2040002@earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I like the idea of being able to allow certain users to ability to utilize one privileged task while not granting that user the ability to really do damage on a system. And yes I believe that a user will exist in wheel when he/she/it has the knowledge and skills needed for accountability. Yes (I sense it coming), I also believe that properly utilizing the user and group functions on a FreeBSD machine is really the way it should be done, but what fun can be had with out bells, whistles and nifty programs that do the thinking for us? Personally I don't trust to many to be in my wheel and my favorite practice is # chflags schg files bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"| wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& v.s. bash-3.00# su -l root bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote: > Bill Vermillion wrote: > > > I understand that after using Unix for about 2 decades. > > > >However in FreeBSD a user is supposed to be in the wheel group [if > >it exists] to be able to su to root. > > > >But if a person who is not in wheel su's to a user who is in wheel, > >then they can su to root - as the system sees them as the other > >user. > > > > >This means that the 'wheel' security really is nothing more > >than a 2 password method to get to root. > > > > > > > Precisely. If you don't like this then the way around is to only allow > a > certain group access to su and none for everyone else. > > >If the EUID of the orignal invoker is checked, even if they su'ed > >to a person in wheel, then they should not be able to su to root. > > > >I'm asking why is this permitted, or alternatively why is putting a > >user in the wheel group supposed to make things secure, when in > >reality it just makes it seem more secure - as there is only one > >more password to crack. > > > > > > One more password to crack is more time which means a better chance > of > catching the cracker in the act. Although I don't know why exactly > the > authors of su did that the way they did but my first and best guess > would be convenience. The two password method is better than a new > login > session each time you want to get to root. Second best guess would be > is > that they didn't figure out that issue or at least think much of it. > > -- > --- > Elvedin Trnjanin > http://www.ods.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1103354079.16723.6.camel>