From owner-freebsd-security Tue Apr 3 11: 3:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from xena.gsicomp.on.ca (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by hub.freebsd.org (Postfix) with ESMTP id 073FF37B71C; Tue, 3 Apr 2001 11:03:19 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.3) with SMTP id f33I1SR03545; Tue, 3 Apr 2001 14:01:29 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> Subject: Re: su change? Date: Tue, 3 Apr 2001 14:03:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > According to su.c, if the user you are changing to does not have a valid > shell, su complains and exits. A valid thing to do in today's security > conscience society. Now, lets say you want to become root to fix this > invalid shell problem.. su's nature is to complain and exit. The fix is > rather simple, somewhere around line 310 in su.c is: > > if (!chshell(pwd->pw_shell) && ruid) > errx(1, "permission denied (shell)."); > > The only thing we need to prepend to this is a check to see if we are trying > to su to root, which we should allow regardless of the shell specified: I disagree. The root account is an account that needs to have the highest number of security checks present. If you're swift enough to change root's shell to something non-standard and forget to update /etc/shells, then having to drop to single user mode is suitable punishment. After all, playing with the root user is like playing with fire -- sooner or later you're going to get burned. Just consider your friend lucky - doing similar things to the root account on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete reinstall - especially if it's running C2-level security. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message