From owner-freebsd-security  Wed Mar 27  6:35:18 2002
Delivered-To: freebsd-security@freebsd.org
Received: from theinternet.com.au (c17126.kelvn1.qld.optusnet.com.au [210.49.48.239])
	by hub.freebsd.org (Postfix) with ESMTP id 26D0737B417
	for <security@FreeBSD.ORG>; Wed, 27 Mar 2002 06:35:13 -0800 (PST)
Received: (from akm@localhost)
	by theinternet.com.au (8.11.6/8.11.4) id g2REZ6310776;
	Thu, 28 Mar 2002 00:35:06 +1000 (EST)
	(envelope-from akm)
Date: Thu, 28 Mar 2002 00:35:06 +1000
From: Andrew Kenneth Milton <akm@theinternet.com.au>
To: Bill Vermillion <bv@wjv.com>
Cc: Andrew Kenneth Milton <akm@theinternet.com.au>,
	security@FreeBSD.ORG
Subject: Re: Question on su / possible hole
Message-ID: <20020328003506.F40004@zeus.theinternet.com.au>
References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20020327142432.GB30556@wjv.com>; from bv@wjv.com on Wed, Mar 27, 2002 at 09:24:33AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

+-------[ Bill Vermillion ]----------------------
| On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke:
| > +-------[ Bill Vermillion ]----------------------
| > |
| > | However I have found that if non-wheel-group user can su to a
| > | user who has wheel privledges - the the non-wheel user can su to
| > | root.
| 
| > So they can simply login as the user with wheel access and circumvent 
| > any further checking anyway. They'd need the password after all.
|
| They do need the password of course.  But if you expand the wheel
| concept to the point that you can only become root if you are a
| named user in this group - IOW a trusted user - then the system
| would be more secure.

So remove world execute access from su, make an su-users group and chgrp
su with that group ?

I think you have the tools you need to do what you want d8)

-- 
Totally Holistic Enterprises Internet|                      | Andrew Milton
The Internet (Aust) Pty Ltd          |                      |
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068    |akm@theinternet.com.au| 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message