From owner-freebsd-security  Wed Mar 27  6:57:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from bilver.wjv.com (spdsl-033.wanlogistics.net [63.209.115.33])
	by hub.freebsd.org (Postfix) with ESMTP id 121EC37B419
	for <security@FreeBSD.ORG>; Wed, 27 Mar 2002 06:57:21 -0800 (PST)
Received: (from bv@localhost)
	by bilver.wjv.com (8.11.6/8.11.6) id g2REv7H31378;
	Wed, 27 Mar 2002 09:57:07 -0500 (EST)
	(envelope-from bv)
Date: Wed, 27 Mar 2002 09:57:07 -0500
From: Bill Vermillion <bv@wjv.com>
To: Andrew Kenneth Milton <akm@theinternet.com.au>
Cc: security@FreeBSD.ORG
Subject: Re: Question on su / possible hole
Message-ID: <20020327145706.GC30556@wjv.com>
Reply-To: bv@wjv.com
References: <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020328003506.F40004@zeus.theinternet.com.au>
User-Agent: Mutt/1.3.25i
Organization: W.J.Vermillion / Orlando - Winter Park
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, Mar 28, 2002 at 12:35:06AM +1000, Andrew Kenneth Milton thus spoke:
> +-------[ Bill Vermillion ]----------------------
> | On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke:
> | > +-------[ Bill Vermillion ]----------------------
> | > |
> | > | However I have found that if non-wheel-group user can su to a
> | > | user who has wheel privledges - the the non-wheel user can su to
> | > | root.
> | 
> | > So they can simply login as the user with wheel access and circumvent 
> | > any further checking anyway. They'd need the password after all.
> |
> | They do need the password of course.  But if you expand the wheel
> | concept to the point that you can only become root if you are a
> | named user in this group - IOW a trusted user - then the system
> | would be more secure.

> So remove world execute access from su, make an su-users group and
> chgrp su with that group ?

> I think you have the tools you need to do what you want d8)

Now why didn't I think of that.

Thanks.

Bill

-- 
Bill Vermillion - bv @ wjv . com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message