From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 10:45:10 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C077816A4CE for ; Sat, 18 Dec 2004 10:45:10 +0000 (GMT) Received: from marvin.muc.de (marvin.muc.de [193.149.48.2]) by mx1.FreeBSD.org (Postfix) with SMTP id C825F43D1D for ; Sat, 18 Dec 2004 10:45:09 +0000 (GMT) (envelope-from mod-submit@uni-berlin.de) Received: (qmail 70468 invoked by alias); 18 Dec 2004 10:45:08 -0000 Delivered-To: mods-muc-lists-freebsd-security@moderators.muc.de Received: (qmail 70461 invoked from network); 18 Dec 2004 10:45:07 -0000 Received: from mail.fu-berlin.de (130.133.1.2) by marvin.muc.de with SMTP; 18 Dec 2004 10:45:07 -0000 Received: by Mail.FU-Berlin.DE (Exim 4.42) from curry.zedat.fu-berlin.de ([160.45.10.36]) for muc-lists-freebsd-security@moderators.muc.de with esmtp id <1Cfc5D-0005kz-IG>; Sat, 18 Dec 2004 11:45:07 +0100 Received: by Curry.ZEDAT.FU-Berlin.DE (Smail3.2.0.98) from news.uni-berlin.de with bsmtp id ; Sat, 18 Dec 2004 11:45:07 +0100 (MET) To: muc-lists-freebsd-security@moderators.muc.de Path: individual.net!not-for-mail From: Rudolf Polzer Newsgroups: mpc.lists.freebsd.security,muc.lists.freebsd.security Date: 18 Dec 2004 10:45:06 GMT Lines: 27 Message-ID: References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Transfer-Encoding: 8bit X-Orig-X-Trace: individual.net wfdY/NdUgPc/QJEGUbV04g2fa6bXPiJWqkZmJ25xKCvG5UShhO User-Agent: slrn/0.9.8.1 (FreeBSD) X-Mailman-Approved-At: Sat, 18 Dec 2004 13:54:05 +0000 Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 10:45:10 -0000 »Bill Vermillion« wrote: > But if a person who is not in wheel su's to a user who is in wheel, > then they can su to root - as the system sees them as the other > user. This means that the 'wheel' security really is nothing more > than a 2 password method to get to root. It is exactly that. > If the EUID of the orignal invoker is checked, even if they su'ed > to a person in wheel, then they should not be able to su to root. No, since the EUID is also changed on su. > I'm asking why is this permitted, or alternatively why is putting a > user in the wheel group supposed to make things secure, when in > reality it just makes it seem more secure - as there is only one > more password to crack. Well, if su could not su from a non-wheel user to a wheel user, the user would just ssh to localhost instead. For example. -- / --- Where bots rampage, I'm there to take them down! --- \ / ------ Where trouble arises, I'm there to cause it! ------ \ \ Where an enemy tries to frag me, victory will be mine!!!1! / {{dup[exch{dup exec}fork =}loop}dup exec >> http://www.ccc-offenbach.org <<