Date: Thu, 28 Mar 2002 00:35:06 +1000 From: Andrew Kenneth Milton <akm@theinternet.com.au> To: Bill Vermillion <bv@wjv.com> Cc: Andrew Kenneth Milton <akm@theinternet.com.au>, security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328003506.F40004@zeus.theinternet.com.au> In-Reply-To: <20020327142432.GB30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:24:33AM -0500 References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com>
next in thread | previous in thread | raw e-mail | index | archive | help
+-------[ Bill Vermillion ]---------------------- | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: | > +-------[ Bill Vermillion ]---------------------- | > | | > | However I have found that if non-wheel-group user can su to a | > | user who has wheel privledges - the the non-wheel user can su to | > | root. | | > So they can simply login as the user with wheel access and circumvent | > any further checking anyway. They'd need the password after all. | | They do need the password of course. But if you expand the wheel | concept to the point that you can only become root if you are a | named user in this group - IOW a trusted user - then the system | would be more secure. So remove world execute access from su, make an su-users group and chgrp su with that group ? I think you have the tools you need to do what you want d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328003506.F40004>