Date: Mon, 14 May 2001 12:51:45 -0700 From: "John Howie" <JHowie@msn.com> To: <anderson@centtech.com>, "Erik Trulsson" <ertr1013@student.uu.se> Cc: "Forrest Houston" <fhouston@east.isi.edu>, "Oulman, Jamie" <JOulman@iphrase.com>, <freebsd-security@freebsd.org> Subject: Re: nfs mounts / su / yp Message-ID: <00f101c0dcaf$5214db60$0101a8c0@development.local> References: <20010514200927.A32697@student.uu.se> <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu> <20010514204259.A33451@student.uu.se> <3B00295D.24643CD7@centtech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Eric Anderson" <anderson@centtech.com> To: "Erik Trulsson" <ertr1013@student.uu.se> Cc: "Forrest Houston" <fhouston@east.isi.edu>; "Oulman, Jamie" <JOulman@iphrase.com>; <freebsd-security@freebsd.org> Sent: Monday, May 14, 2001 11:52 AM Subject: Re: nfs mounts / su / yp > Well, I think the problem is that a local root should mean only local > root access, and su should not allow you to su to non-local users (ie, > NIS users). Forrest, you have it close to what I am troubling with. I > have users that WILL get root on their desktop machines, one way or the > other. These users log into others machines (which is needed, and > acceptable).. The problem is simply how do you stop root from su'ing to > another user? (and deleting the binary is not an answer, since > downloading and/or compiling your own is simple enough).. > [remainder deleted] Eric, If you are saying that you are going to give/allow users root access then your problems go further than simply denying them the ability to su to another user from root. If you do not intend to allow users to become root, through securing the boot process and disabling bootable removable drives, then removing su is an option, as merely downloading the binary or compiling the source will not work as it needs to be installed with the owner as root and the suid bit set. If your concern is that users might become root by exploiting a vulnerability, then join the club. That is a problem we all have to deal with. You will just have to be proactive in applying patches and monitoring your audit logs for suspicious activity. Feel free to contact me directly, off list, if you want to discuss this further. john... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00f101c0dcaf$5214db60$0101a8c0>