RE: Questions regarding the wheel group

From: Beth Reid (breid@cyberguard.com)
Date: 02/08/02


From: Beth Reid <breid@cyberguard.com>
To: "'freebsd-security@FreeBSD.org'" <freebsd-security@FreeBSD.org>
Date: Fri, 8 Feb 2002 11:57:38 -0500 

Bill,

So sorry for the inconvenience.
There was some formatting in the document which made readability easier.

Hopefully freebsd-security can help me, thanx for suggestion.
Here is the straight text rather than a word document attachment:
-----
I am doing research on the wheel group and security and I had a couple of
questions.

I understand the purpose of wheel as follows: "Further protection is
offered for the root account by using a special group called the wheel
group. The wheel group adds greater security to a system by preventing users
that are not in this group from using the su (super user) command to su to
root."

So, the majority of the time one would add a user to the wheel group and
then give that person the root password so that these selected few users
could become root when they "su". Makes sense and is a good feature.

While doing my research, I wanted to know what other type of privileges a
user would have if they belong to wheel. What if someone inadvertently
added a user to the wheel group (and was not given root's password)? Would
a user in the wheel group without the root password be able to compromise a
system in any way?

Some thoughts: Why should the wheel group be used on any files? I would
think from a security point of view, wheel should not be the default or
primary group for root. This way if you are in the wheel group and have
root's password, you can become root. If you are in the wheel group, but do
not have root's password you should not gain any special privileges to any
files or directories. You should be like any other user.

My initial step was to check the permissions on all of the files to see if
files with a group of "wheel" had permission bits where the group and other
bits differed. Although this may not be exhaustive for every type of
system, this is what I found on a FreeBSD Release 4.3 (without source)
system. The following files had a group of wheel and had different group
and other permissions.

1) The only 2 devices on my system where wheel had more permission than
other were the following. I am not sure yet if there is a vulnerability
here.
crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09
./dev/rsa0.ctl
crw-rw---- 2 root wheel 14, 0x20000000 Nov 30 09:09 ./dev/sa0.ctl

2) In the /proc directory there is a mem file for each process. This seems
to me like a vulnerability. The odd thing is that on one similar FreeBSD
4.3 release system the group was kmem for all files in this directory, all
other systems had the group for root as wheel. So two questions here: 1)
why does the group differ on the two systems, and 2) why does the wheel
group have read privilege on these mem files?

-rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/317/mem
-rw-r----- 1 root wheel 0 Feb 6 12:27 ./proc/318/mem

3) This seems harmless.
-r-xr-x--- 1 root wheel 12424 Apr 21 2001 ./usr/sbin/mptable

4) This seems like it could be a vulnerability. If someone is in wheel
that shouldn't be, he could read these files and perhaps gather some useful
information.
in /var/log
-rw-r----- 1 root wheel 5490 Feb 6 03:01 setuid.today
-rw-r----- 1 root wheel 5490 Feb 5 03:01 setuid.yesterday
-rw-r----- 1 root wheel 5464 Feb 2 03:01 dmesg.today
-rw-r----- 1 root wheel 5527 Feb 1 03:01 dmesg.yesterday
-rw-r----- 1 root wheel 136 Dec 1 03:02 mount.today

5) These directories allow wheel to poke around in them, but not someone in
the other group. It seems like I wouldn't want the crash files exposed.
The cron directory is odd because although wheel can poke around in cron, he
can't get to the tabs subfolder. The backup folder seems harmless(?).
Someone in wheel can remove files from /tmp.

in/var
drwxrwxrwt 3 root wheel 512 Feb 6 03:01 tmp
drwxr-x--- 2 root wheel 512 Feb 6 03:01 backups
drwxr-x--- 3 root wheel 512 Nov 30 09:08 cron
drwxr-x--- 2 root wheel 512 Nov 30 09:08 crash

Again, I am under the impression that if you put someone in wheel you want
him to be able to become root. It seems wheel acts more like a role
mechanism where if you belong to it, you have an additional privilege.
Should the additional privileges include access to the files above or just
be the ability to execute the "su" command?

In summary, if you could shed some light on any of these issues I would
really appreciate it. If there are any documents you could point me to, I
would be happy to do the research myself.

I am looking for answers or information for the following:

1) What if someone inadvertently added a user to the wheel group (and
was not given root's password)? Would a user in the wheel group without
the root password be able to compromise a system in any way?
2) Why should the wheel group be used on any files?
3) Why is the wheel group the primary group for root?
4) Items 1-5 for the files where group and other permissions differ.
An explanation for these files and directories. Also the kmem issue is very
strange.
5) Should being in the wheel group give any other privilege other than
to execute the "su" command?
--------

Thanx again and apologies for inconvenience.
Beth

-----Original Message-----
From: Bill Swingle [mailto:unfurl@dub.net]
Sent: Friday, February 08, 2002 11:50 AM
To: Beth Reid
Cc: 'security-officer@FreeBSD.org'
Subject: Re: Questions regarding the wheel group

Beth,

Being that we're a unix security group most of us use microsoft products
very rarely. If your questions are text only, why complicate the matter
with an attachment?

Secondly, most likely the forum that you're looking for is the
freebsd-security mailing list. Check the freebsd.org website for more
info.

-Bill

On Fri, Feb 08, 2002 at 09:34:03AM -0500, Beth Reid wrote:
> Hi
>
> Attached is document with a few questions regarding the wheel group and
> security. If you have information, I would really appreciate it. If you
> can't read the attachment for any reason, please let me know.
>
> Thanx!
>
> Beth Reid
> CyberGuard Corporation
>
> phone: 954-958-3900 x3230
> email: breid@cyberguard.com
> fax: 954-958-3901
>
>
> See the LX, a new, low-cost EAL4 certified firewall/VPN compact appliance!
> http://www.cyberguard.com/SOLUTIONS/Solutions_lx1.html
>
>

-- 
-=| Bill Swingle - <unfurl@(dub.net|freebsd.org)>
-=| Every message PGP signed
-=| Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E  6414 5200 1C95 8E09 0223
-=| "Computers are useless. They can only give you answers" Pablo Picasso 
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: Help with sudoers and wheel - "Old Guy" or anyone?
    ... (I am root on my home systems, and have "root" user accounts at work, ... Notice - no permissions for normal users to run. ... members of the 'wheel' group could run those commands. ... >Use halt, reboot, shutdown, mount, and tcpdump commands. ...
    (comp.os.linux)
  • RE: root group in solaris
    ... You can also leverage the 'wheel' group in sudo by first adding ... This will let anyone in the 'wheel' group to have 'root' sudo ... system if you want them to have those privileges. ...
    (Focus-SUN)
  • RE: root group in solaris
    ... He is talking about Solaris. ... Adding someone to the root group ... Typically you would add someone to the 'wheel' user group on a UNIX ... I would like to give root user privileges to a set of OS administrators. ...
    (Focus-SUN)
  • RE: root group in solaris
    ... Typically you would add someone to the 'wheel' user group on a UNIX ... I would like to give root user privileges to a set of OS administrators. ... Is it possible manually to make the GID 0 privileges equivalant of UID ...
    (Focus-SUN)
  • Re: Language families
    ... descended from the same root. ... two 'wheel' roots, ... general very easily distinguished from inherited words. ... distinguish *medieval* borrowings from Latin from ...
    (sci.lang)