From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 07:14:47 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 928A716A4CE for ; Sat, 18 Dec 2004 07:14:47 +0000 (GMT) Received: from mail.nativenerds.com (host-70-0-111-24.midco.net [24.111.0.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3EE543D1D for ; Sat, 18 Dec 2004 07:14:46 +0000 (GMT) (envelope-from estover@nativenerds.com) Received: from red (host-14-37-230-24.midco.net [24.230.37.14]) iBI7KpiS077261; Sat, 18 Dec 2004 00:20:51 -0700 (MST) (envelope-from estover@nativenerds.com) From: Ed Stover To: Elvedin Trnjanin , bv@wjv.com In-Reply-To: <41C3AE7B.2040002@earthlink.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <41C3AE7B.2040002@earthlink.net> Content-Type: text/plain Organization: Native Nerds Date: Sat, 18 Dec 2004 00:14:39 -0700 Message-Id: <1103354079.16723.6.camel@red.nativenerds.com> Mime-Version: 1.0 X-Mailer: Evolution 2.0.3 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on mail.nativenerds.com cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: estover@nativenerds.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 07:14:47 -0000 I like the idea of being able to allow certain users to ability to utilize one privileged task while not granting that user the ability to really do damage on a system. And yes I believe that a user will exist in wheel when he/she/it has the knowledge and skills needed for accountability. Yes (I sense it coming), I also believe that properly utilizing the user and group functions on a FreeBSD machine is really the way it should be done, but what fun can be had with out bells, whistles and nifty programs that do the thinking for us? Personally I don't trust to many to be in my wheel and my favorite practice is # chflags schg files bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"| wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& v.s. bash-3.00# su -l root bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024 count=99999999& On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote: > Bill Vermillion wrote: > > > I understand that after using Unix for about 2 decades. > > > >However in FreeBSD a user is supposed to be in the wheel group [if > >it exists] to be able to su to root. > > > >But if a person who is not in wheel su's to a user who is in wheel, > >then they can su to root - as the system sees them as the other > >user. > > > > >This means that the 'wheel' security really is nothing more > >than a 2 password method to get to root. > > > > > > > Precisely. If you don't like this then the way around is to only allow > a > certain group access to su and none for everyone else. > > >If the EUID of the orignal invoker is checked, even if they su'ed > >to a person in wheel, then they should not be able to su to root. > > > >I'm asking why is this permitted, or alternatively why is putting a > >user in the wheel group supposed to make things secure, when in > >reality it just makes it seem more secure - as there is only one > >more password to crack. > > > > > > One more password to crack is more time which means a better chance > of > catching the cracker in the act. Although I don't know why exactly > the > authors of su did that the way they did but my first and best guess > would be convenience. The two password method is better than a new > login > session each time you want to get to root. Second best guess would be > is > that they didn't figure out that issue or at least think much of it. > > -- > --- > Elvedin Trnjanin > http://www.ods.org