Date: Wed, 27 Mar 2002 16:53:35 +0000 From: Ceri <setantae@submonkey.net> To: Andrew Kenneth Milton <akm@theinternet.com.au> Cc: Damien Palmer <dpalmer@northwestern.edu>, security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327165335.GA61997@submonkey.net> In-Reply-To: <20020328024827.I40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: > +-------[ Damien Palmer ]---------------------- > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: > | >So remove world execute access from su, make an su-users group and chgrp > | >su with that group ? > | > | Since su already belongs to the wheel group, and we are trying to restrict > | su access to people in the wheel group, wouldn't it be simpler to just > | chmod the command, so only the owner and the group have executable > | permissions on it, and leave it in the wheel group? Or is there another > | reasoning behind creating a new group that I am not seeing? > > Neatness? If only wheel has execute access on su, then only people in wheel can su. Note that anyone can use su, they just can't su to root if they're not in wheel. Creating a new group wouldn't work anyway. su explicitly checks that the user calling it is in a group with gid=0, otherwise known as wheel. Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020327165335.GA61997>