From owner-freebsd-stable  Wed Apr  4 17: 7: 3 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from meow.osd.bsdi.com (meow.osd.bsdi.com [204.216.28.88])
	by hub.freebsd.org (Postfix) with ESMTP
	id 85CAB37B43E; Wed,  4 Apr 2001 17:06:57 -0700 (PDT)
	(envelope-from jhb@FreeBSD.org)
Received: from laptop.baldwin.cx (john@jhb-laptop.osd.bsdi.com [204.216.28.241])
	by meow.osd.bsdi.com (8.11.2/8.11.2) with ESMTP id f3506TG52369;
	Wed, 4 Apr 2001 17:06:29 -0700 (PDT)
	(envelope-from jhb@FreeBSD.org)
Message-ID: <XFMail.010404170602.jhb@FreeBSD.org>
X-Mailer: XFMail 1.4.0 on FreeBSD
X-Priority: 3 (Normal)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
In-Reply-To: <002d01c0bc6d$2d558390$035778d8@sherline.net>
Date: Wed, 04 Apr 2001 17:06:02 -0700 (PDT)
From: John Baldwin <jhb@FreeBSD.org>
To: Jeremiah Gowdy <data@irev.net>
Subject: Re: su change?
Cc: freebsd-security@FreeBSD.org, freebsd-stable@FreeBSD.org,
	Kherry Zamore <dknj@dknj.org>, Matthew Emmerton <matt@gsicomp.on.ca>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On 03-Apr-01 Jeremiah Gowdy wrote:
> 
>> > if (!chshell(pwd->pw_shell) && ruid)
>> >     errx(1, "permission denied (shell).");
>> >
>> > The only thing we need to prepend to this is a check to see if we are
>> trying
>> > to su to root, which we should allow regardless of the shell specified:
>>
>> I disagree.  The root account is an account that needs to have the highest
>> number of security checks present.
> 
> Then make a point as to why root, when not having a valid shell, not being
> able to log in is a useful security check in any way shape or form.  So

Last time I checked single-user was a shape.

The real problem here is people changing root's shell.  You shouldn't be
logging in as root in the first place.  I remember back in the 2.1.x and 2.2.x
days when .cshrc actually used to yell at people if you logged in as root.  Use
sudo, supser, su2, or su -m instead.  Root's login shell and login shell files
should be kept simple and sane and not dinked with.  This is a people problem
with the administrators in question and hacking up su is not the right fix.

-- 

John Baldwin <jhb@FreeBSD.org> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message