Date: Tue, 3 Apr 2001 11:37:46 -0700 From: "Jeremiah Gowdy" <data@irev.net> To: "Matthew Emmerton" <matt@gsicomp.on.ca>, "Kherry Zamore" <dknj@dknj.org>, <freebsd-stable@FreeBSD.ORG> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: su change? Message-ID: <002d01c0bc6d$2d558390$035778d8@sherline.net> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
> > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > > I disagree. The root account is an account that needs to have the highest > number of security checks present. Then make a point as to why root, when not having a valid shell, not being able to log in is a useful security check in any way shape or form. So people can change root's shell to something invalid when they want to lock the root account ? That's nonsensical. If root doesn't have a valid shell, something is broken. If someone gets to that stage in the code for su, they already have an account in wheel, and the root password. You're saying that in the situation in which someone has an account in wheel and the root password, but root's shell is invalid, access should be denied ? I fail to see the security value in this. I support the code patch, while it's value is minimal, the behavior is not unreasonable or insecure. > Just consider your friend lucky - doing similar things to the root account > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > reinstall - especially if it's running C2-level security. Sigh. I won't bother arguing this. I think some else has. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c0bc6d$2d558390$035778d8>