Date: Mon, 14 May 2001 21:38:54 +0200 From: Erik Trulsson <ertr1013@student.uu.se> To: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: nfs mounts / su / yp Message-ID: <20010514213854.A34209@student.uu.se> In-Reply-To: <20010514122650.T18676@fw.wintelcom.net>; from bright@wintelcom.net on Mon, May 14, 2001 at 12:26:50PM -0700 References: <20010514200927.A32697@student.uu.se> <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu> <20010514204259.A33451@student.uu.se> <3B00295D.24643CD7@centtech.com> <3B002E2B.1337F4C9@lmc.ericsson.se> <20010514122650.T18676@fw.wintelcom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 14, 2001 at 12:26:50PM -0700, Alfred Perlstein wrote: > * Antoine Beaupre (LMC) <Antoine.Beaupre@ericsson.ca> [010514 12:20] wrote: > > [cc's trimmed] > > > > Eric Anderson wrote: > > > > > > Well, I think the problem is that a local root should mean only local > > > root access, and su should not allow you to su to non-local users (ie, > > > NIS users). > > > > That policy (local-only su) if implemented on a machine, can be > > circumvented when the user gets root access. > > > > Heck, the user can even install another system that *doesn't have* that > > policy. > > > > > The problem is simply how do you stop root from su'ing to > > > another user? > > > > You can't. Once the user has root, he can reinstall a complete system, > > bypassing any *local* policy you might have. You can't keep root from > > doing *anything* by definition. I think there has been a few threads > > regarding this on this list. This might be seen as a UNIX design flaw > > but I certainly disagree. Anyways, that is not the issue here. > > FreeBSD has securelevels, while not ideal, if implemented properly > they can limit what root can do. Yes, but if users have physical access to the machine they can always reboot into single user mode. In that case securelevels don't help. It is very difficult to secure a machine completely if users have physical access to it. -- <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010514213854.A34209>