From owner-freebsd-security Tue Apr 3 11:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from sherline.com (sherline.net [216.120.87.2]) by hub.freebsd.org (Postfix) with SMTP id 36C8E37B725 for ; Tue, 3 Apr 2001 11:37:53 -0700 (PDT) (envelope-from data@irev.net) Received: (qmail 24476 invoked from network); 3 Apr 2001 18:37:50 -0000 Received: from unknown (HELO server2) (216.120.87.3) by 216.120.87.2 with SMTP; 3 Apr 2001 18:37:50 -0000 Message-ID: <002d01c0bc6d$2d558390$035778d8@sherline.net> From: "Jeremiah Gowdy" To: "Matthew Emmerton" , "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> Subject: Re: su change? Date: Tue, 3 Apr 2001 11:37:46 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > > I disagree. The root account is an account that needs to have the highest > number of security checks present. Then make a point as to why root, when not having a valid shell, not being able to log in is a useful security check in any way shape or form. So people can change root's shell to something invalid when they want to lock the root account ? That's nonsensical. If root doesn't have a valid shell, something is broken. If someone gets to that stage in the code for su, they already have an account in wheel, and the root password. You're saying that in the situation in which someone has an account in wheel and the root password, but root's shell is invalid, access should be denied ? I fail to see the security value in this. I support the code patch, while it's value is minimal, the behavior is not unreasonable or insecure. > Just consider your friend lucky - doing similar things to the root account > on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete > reinstall - especially if it's running C2-level security. Sigh. I won't bother arguing this. I think some else has. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message