From owner-freebsd-security Mon Feb 11 18:25:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from newman2.bestweb.net (newman2.bestweb.net [209.94.102.67]) by hub.freebsd.org (Postfix) with ESMTP id CA7C937B4B4 for ; Mon, 11 Feb 2002 18:17:38 -0800 (PST) Received: from okeeffe.bestweb.net (okeefe.bestweb.net [209.94.100.110]) by newman2.bestweb.net (Postfix) with ESMTP id C56F9232FF; Mon, 11 Feb 2002 21:17:06 -0500 (EST) Received: by okeeffe.bestweb.net (Postfix, from userid 0) id 3F3AC9EFD3; Mon, 11 Feb 2002 21:12:06 -0500 (EST) From: Beth Reid To: "'freebsd-security@FreeBSD.org'" Cc: 'Bill Swingle' Subject: RE: Questions regarding the wheel group Date: Fri, 8 Feb 2002 11:57:38 -0500 Message-Id: <20020212021206.3F3AC9EFD3@okeeffe.bestweb.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/plain Bill, So sorry for the inconvenience. There was some formatting in the document which made readability easier. Hopefully freebsd-security can help me, thanx for suggestion. Here is the straight text rather than a word document attachment: ----- I am doing research on the wheel group and security and I had a couple of questions. I understand the purpose of wheel as follows: "Further protection is offered for the root account by using a special group called the wheel group. The wheel group adds greater security to a system by preventing users that are not in this group from using the su (super user) command to su to root." So, the majority of the time one would add a user to the wheel group and then give that person the root password so that these selected few users could become root when they "su". Makes sense and is a good feature. While doing my research, I wanted to know what other type of privileges a user would have if they belong to wheel. What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? Some thoughts: Why should the wheel group be used on any files? I would think from a security point of view, wheel should not be the default or primary group for root. This way if you are in the wheel group and have root's password, you can become root. If you are in the wheel group, but do not have root's password you should not gain any special privileges to any files or directories. You should be like any other user. My initial step was to check the permissions on all of the files to see if files with a group of "wheel" had permission bits where the group and other bits differed. Although this may not be exhaustive for every type of system, this is what I found on a FreeBSD Release 4.3 (without source) system. The following files had a group of wheel and had different group and other permissions. 1) The only 2 devices on my system where wheel had more permission than other were the following. I am not sure yet if there is a vulnerability here. crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/rsa0.ctl crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl 2) In the /proc directory there is a mem file for each process. This seems to me like a vulnerability. The odd thing is that on one similar FreeBSD 4.3 release system the group was kmem for all files in this directory, all other systems had the group for root as wheel. So two questions here: 1) why does the group differ on the two systems, and 2) why does the wheel group have read privilege on these mem files? -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem -rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem 3) This seems harmless. -r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable 4) This seems like it could be a vulnerability. If someone is in wheel that shouldn't be, he could read these files and perhaps gather some useful information. in /var/log -rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today -rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday -rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today -rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday -rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today 5) These directories allow wheel to poke around in them, but not someone in the other group. It seems like I wouldn't want the crash files exposed. The cron directory is odd because although wheel can poke around in cron, he can't get to the tabs subfolder. The backup folder seems harmless(?). Someone in wheel can remove files from /tmp. in/var drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash Again, I am under the impression that if you put someone in wheel you want him to be able to become root. It seems wheel acts more like a role mechanism where if you belong to it, you have an additional privilege. Should the additional privileges include access to the files above or just be the ability to execute the "su" command? In summary, if you could shed some light on any of these issues I would really appreciate it. If there are any documents you could point me to, I would be happy to do the research myself. I am looking for answers or information for the following: 1) What if someone inadvertently added a user to the wheel group (and was not given root's password)? Would a user in the wheel group without the root password be able to compromise a system in any way? 2) Why should the wheel group be used on any files? 3) Why is the wheel group the primary group for root? 4) Items 1-5 for the files where group and other permissions differ. An explanation for these files and directories. Also the kmem issue is very strange. 5) Should being in the wheel group give any other privilege other than to execute the "su" command? -------- Thanx again and apologies for inconvenience. Beth -----Original Message----- From: Bill Swingle [mailto:unfurl@dub.net] Sent: Friday, February 08, 2002 11:50 AM To: Beth Reid Cc: 'security-officer@FreeBSD.org' Subject: Re: Questions regarding the wheel group Beth, Being that we're a unix security group most of us use microsoft products very rarely. If your questions are text only, why complicate the matter with an attachment? Secondly, most likely the forum that you're looking for is the freebsd-security mailing list. Check the freebsd.org website for more info. -Bill On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid wrote: > Hi > > Attached is document with a few questions regarding the wheel group and > security. If you have information, I would really appreciate it. If you > can't read the attachment for any reason, please let me know. > > Thanx! > > Beth Reid > CyberGuard Corporation > > phone: 954-958-3900 x3230 > email: breid@cyberguard.com > fax: 954-958-3901 > > > See the LX, a new, low-cost EAL4 certified firewall/VPN compact appliance! > http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html > > -- -=| Bill Swingle - -=| Every message PGP signed -=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=| "Computers are useless. They can only give you answers" Pablo Picasso ------_=_NextPart_001_01C1B0C1.B8EF151C Content-Type: text/html Content-Transfer-Encoding: quoted-printable RE: Questions regarding the wheel group

Bill,

So sorry for the inconvenience.
There was some formatting in the document which made = readability easier.

Hopefully freebsd-security can help me, thanx for = suggestion.
Here is the straight text rather than a word = document attachment:
-----
I am doing research on the wheel group and security = and I had a couple of questions. 

I understand the purpose of wheel as follows:  = "Further protection is offered for the root account by using a = special group called the wheel group. The wheel group adds greater = security to a system by preventing users that are not in this group = from using the su (super user) command to su to root."

So, the majority of the time one would add a user to = the wheel group and then give that person the root password so that = these selected few users could become root when they = "su".  Makes sense and is a good feature.

While doing my research, I wanted to know what other = type of privileges a user would have if they belong to wheel.  = What if someone inadvertently added a user to the wheel group (and was = not given root's password)?   Would a user in the wheel group = without the root password be able to compromise a system in any = way?

Some thoughts: Why should the wheel group be used on = any files?  I would think from a security point of view, wheel = should not be the default or primary group for root.  This way if = you are in the wheel group and have root's password, you can become = root.  If you are in the wheel group, but do not have root's = password you should not gain any special privileges to any files or = directories.  You should be like any other user.

My initial step was to check the permissions on all = of the files to see if files with a group of "wheel" had = permission bits where the group and other bits differed.  Although = this may not be exhaustive for every type of system, this is what I = found on a FreeBSD Release 4.3 (without source) system.  The = following files had a group of wheel and had different group and other = permissions.


1)  The only 2 devices on my system where wheel = had more permission than other were the following.  I am not sure = yet if there is a vulnerability here.

crw-rw----   2 root     = wheel      14, 0x20000000 Nov 30 09:09 = ./dev/rsa0.ctl
crw-rw----   2 = root     wheel      14, = 0x20000000 Nov 30 09:09 ./dev/sa0.ctl

2)  In the /proc directory there is a mem file = for each process.  This seems to me like a vulnerability.  = The odd thing is that on one similar FreeBSD 4.3 release system the = group was kmem for all files in this directory, all other systems had = the group for root as wheel.  So two questions here: 1) why does = the group differ on the two systems, and 2) why does the wheel group = have read privilege on these mem files?

-rw-r-----   1 = root        = wheel       0 Feb  6 12:27 = ./proc/317/mem
-rw-r-----   1 = root        = wheel           &= nbsp;  0 Feb  6 12:27 ./proc/318/mem

3)  This seems harmless.
-r-xr-x---  1 root  = wheel     12424 Apr 21  2001 = ./usr/sbin/mptable

4)  This seems like it could be a = vulnerability.  If someone is in wheel that shouldn't be, he could = read these files and perhaps gather some useful information.

in /var/log
-rw-r-----  1 root  = wheel    5490 Feb  6 03:01 setuid.today
-rw-r-----  1 root  = wheel    5490 Feb  5 03:01 setuid.yesterday
-rw-r-----  1 root  = wheel    5464 Feb  2 03:01 dmesg.today
-rw-r-----  1 root  = wheel    5527 Feb  1 03:01 dmesg.yesterday
-rw-r-----  1 root  = wheel     136 Dec  1 03:02 mount.today

5)  These directories allow wheel to poke around = in them, but not someone in the other group.  It seems like I = wouldn't want the crash files exposed.  The cron directory is odd = because although wheel can poke around in cron, he can't get to the = tabs subfolder.  The backup folder seems harmless(?). Someone in = wheel can remove files from /tmp. 

in/var
drwxrwxrwt  3 root    = wheel    512 Feb  6 03:01 tmp
drwxr-x---  2 root    = wheel    512 Feb  6 03:01 backups
drwxr-x---  3 root    = wheel    512 Nov 30 09:08 cron
drwxr-x---  2 root    = wheel    512 Nov 30 09:08 crash

Again, I am under the impression that if you put = someone in wheel you want him to be able to become root.  It seems = wheel acts more like a role mechanism where if you belong to it, you = have an additional privilege.  Should the additional privileges = include access to the files above or just be the ability to execute the = "su" command? 

In summary, if you could shed some light on any of = these issues I would really appreciate it.   If there are any = documents you could point me to, I would be happy to do the research = myself.

I am looking for answers or information for the = following:

1)      What if someone = inadvertently added a user to the wheel group (and was not given root's = password)?   Would a user in the wheel group without the root = password be able to compromise a system in any way?

2)      Why should the wheel = group be used on any files?
3)      Why is the wheel = group the primary group for root?
4)      Items 1-5 for the = files where group and other permissions differ.  An explanation = for these files and directories.  Also the kmem issue is very = strange.

5)      Should being in the = wheel group give any other privilege other than to execute the = "su" command?
--------

Thanx again and apologies for inconvenience.
Beth



-----Original Message-----
From: Bill Swingle [mailto:unfurl@dub.net]
Sent: Friday, February 08, 2002 11:50 AM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: Questions regarding the wheel = group


Beth,

Being that we're a unix security group most of us use = microsoft products
very rarely. If your questions are text only, why = complicate the matter
with an attachment?

Secondly, most likely the forum that you're looking = for is the
freebsd-security mailing list. Check the freebsd.org = website for more
info.

-Bill

On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid = wrote:
> Hi
>
> Attached is document with a few questions = regarding the wheel group and
> security.  If you have information, I = would really appreciate it.  If you
> can't read the attachment for any reason, = please let me know.
>
> Thanx!
>
> Beth Reid
> CyberGuard Corporation
>
> phone: 954-958-3900 x3230
> email: breid@cyberguard.com
> fax: 954-958-3901
>
>
> See the LX, a new, low-cost EAL4 certified = firewall/VPN compact appliance!
> http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html=
>
>



--
-=3D| Bill Swingle - = <unfurl@(dub.net|freebsd.org)>
-=3D| Every message PGP signed
-=3D| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E  = 6414 5200 1C95 8E09 0223
-=3D| "Computers are useless. They can only = give you answers" Pablo Picasso



------_=_NextPart_001_01C1B0C1.B8EF151C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message