Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 14 May 2001 12:26:50 -0700
From:      Alfred Perlstein <bright@wintelcom.net>
To:        "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG>
Subject:   Re: nfs mounts / su / yp
Message-ID:  <20010514122650.T18676@fw.wintelcom.net>
In-Reply-To: <3B002E2B.1337F4C9@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Mon, May 14, 2001 at 03:12:43PM -0400
References:  <20010514200927.A32697@student.uu.se> <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu> <20010514204259.A33451@student.uu.se> <3B00295D.24643CD7@centtech.com> <3B002E2B.1337F4C9@lmc.ericsson.se>

next in thread | previous in thread | raw e-mail | index | archive | help
* Antoine Beaupre (LMC) <Antoine.Beaupre@ericsson.ca> [010514 12:20] wrote:
> [cc's trimmed]
> 
> Eric Anderson wrote:
> > 
> > Well, I think the problem is  that a local root should mean only local
> > root access, and su should not allow you to su to non-local users (ie,
> > NIS users).  
> 
> That policy (local-only su) if implemented on a machine, can be
> circumvented when the user gets root access. 
> 
> Heck, the user can even install another system that *doesn't have* that
> policy. 
> 
> > The problem is simply how do you stop root from su'ing to
> > another user?
> 
> You can't. Once the user has root, he can reinstall a complete system,
> bypassing any *local* policy you might have. You can't keep root from
> doing *anything* by definition. I think there has been a few threads
> regarding this on this list. This might be seen as a UNIX design flaw
> but I certainly disagree. Anyways, that is not the issue here. 

FreeBSD has securelevels, while not ideal, if implemented properly
they can limit what root can do.

-- 
-Alfred Perlstein - [alfred@freebsd.org]
http://www.egr.unlv.edu/~slumos/on-netbsd.html

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010514122650.T18676>