From owner-freebsd-security Wed Mar 27 6:35:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239]) by hub.freebsd.org (Postfix) with ESMTP id 26D0737B417 for ; Wed, 27 Mar 2002 06:35:13 -0800 (PST) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g2REZ6310776; Thu, 28 Mar 2002 00:35:06 +1000 (EST) (envelope-from akm) Date: Thu, 28 Mar 2002 00:35:06 +1000 From: Andrew Kenneth Milton To: Bill Vermillion Cc: Andrew Kenneth Milton , security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020328003506.F40004@zeus.theinternet.com.au> References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020327142432.GB30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:24:33AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Bill Vermillion ]---------------------- | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke: | > +-------[ Bill Vermillion ]---------------------- | > | | > | However I have found that if non-wheel-group user can su to a | > | user who has wheel privledges - the the non-wheel user can su to | > | root. | | > So they can simply login as the user with wheel access and circumvent | > any further checking anyway. They'd need the password after all. | | They do need the password of course. But if you expand the wheel | concept to the point that you can only become root if you are a | named user in this group - IOW a trusted user - then the system | would be more secure. So remove world execute access from su, make an su-users group and chgrp su with that group ? I think you have the tools you need to do what you want d8) -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | | ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au| To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message