From owner-freebsd-security Wed Mar 27 6:24:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33]) by hub.freebsd.org (Postfix) with ESMTP id 2451537B400 for ; Wed, 27 Mar 2002 06:24:49 -0800 (PST) Received: (from bv@localhost) by bilver.wjv.com (8.11.6/8.11.6) id g2REOXr31088; Wed, 27 Mar 2002 09:24:33 -0500 (EST) (envelope-from bv) Date: Wed, 27 Mar 2002 09:24:33 -0500 From: Bill Vermillion To: Andrew Kenneth Milton Cc: security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327142432.GB30556@wjv.com> Reply-To: bv@wjv.com References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020328000329.E40004@zeus.theinternet.com.au> User-Agent: Mutt/1.3.25i Organization: W.J.Vermillion / Orlando - Winter Park Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: > +-------[ Bill Vermillion ]---------------------- > | > | However I have found that if non-wheel-group user can su to a > | user who has wheel privledges - the the non-wheel user can su to > | root. > So they can simply login as the user with wheel access and circumvent > any further checking anyway. They'd need the password after all. Not if you make sure that the user with the wheel access is coming from a designated place - eg a particular link - an assigned static IP for example. IOW besides knowing who the user is and their password, you also know WHERE they. They do need the password of course. But if you expand the wheel concept to the point that you can only become root if you are a named user in this group - IOW a trusted user - then the system would be more secure. It strikes me as strange because at first glance a person would think that only people were are in the wheel group could become root. I never knew that you could bypass this until I was just experimenting the other day. The man pages on su says "Only users who are members of group 0 can su to root" It does say this about the environment USER "The user ID is always the effective ID ..." But BSD doesn't retain the real ID as in SysV. [I'm not a fan of SysV so don't get me wrong] It just strike me as wrong. -- Bill Vermillion - bv @ wjv . com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message