Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 27 Mar 2002 09:24:33 -0500
From:      Bill Vermillion <bv@wjv.com>
To:        Andrew Kenneth Milton <akm@theinternet.com.au>
Cc:        security@FreeBSD.ORG
Subject:   Re: Question on su / possible hole
Message-ID:  <20020327142432.GB30556@wjv.com>
In-Reply-To: <20020328000329.E40004@zeus.theinternet.com.au>
References:  <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Mar 28, 2002 at 12:03:29AM +1000, Andrew Kenneth Milton thus spoke:
> +-------[ Bill Vermillion ]----------------------
> |
> | However I have found that if non-wheel-group user can su to a
> | user who has wheel privledges - the the non-wheel user can su to
> | root.

> So they can simply login as the user with wheel access and circumvent 
> any further checking anyway. They'd need the password after all.

Not if you make sure that the user with the wheel access is coming
from a designated place - eg a particular link - an assigned static
IP for example.  IOW besides knowing who the user is and their
password, you also know WHERE they.

They do need the password of course.  But if you expand the wheel
concept to the point that you can only become root if you are a
named user in this group - IOW a trusted user - then the system
would be more secure.

It strikes me as strange because at first glance a person would
think that only people were are in the wheel group could become
root.  I never knew that you could bypass this until I was just
experimenting the other day.

The man pages on su says "Only users who are members of group 0 can
su to root"   It does say this about the environment USER "The user
ID is always the effective ID ..."    But BSD doesn't retain the
real ID as in SysV.  [I'm not a fan of SysV so don't get me wrong]

It just strike me as wrong.

-- 
Bill Vermillion - bv @ wjv . com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020327142432.GB30556>