Re: Question on su / possible hole

From: Andrew Kenneth Milton (akm@theinternet.com.au)
Date: 03/27/02 

Date: Thu, 28 Mar 2002 02:57:22 +1000
From: Andrew Kenneth Milton <akm@theinternet.com.au>
To: Ceri <setantae@submonkey.net>

+-------[ Ceri ]----------------------
| On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote:
| > +-------[ Damien Palmer ]----------------------
| > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote:
| > | >So remove world execute access from su, make an su-users group and chgrp
| > | >su with that group ?
| > |
| > | Since su already belongs to the wheel group, and we are trying to restrict
| > | su access to people in the wheel group, wouldn't it be simpler to just
| > | chmod the command, so only the owner and the group have executable
| > | permissions on it, and leave it in the wheel group? Or is there another
| > | reasoning behind creating a new group that I am not seeing?
| >
| > Neatness?
|
| If only wheel has execute access on su, then only people in wheel can su.
| Note that anyone can use su, they just can't su to root if they're not in
| wheel.
|
| Creating a new group wouldn't work anyway.
| su explicitly checks that the user calling it is in a group
| with gid=0, otherwise known as wheel.

New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root

if noWheelUser1 can't execute su they can't get to wheelUser2

I'm just providing solutions, I'm not going to try to provide a rationalisation
for why it's a problem d8) 

-- 
Totally Holistic Enterprises Internet|                      | Andrew Milton
The Internet (Aust) Pty Ltd          |                      |
ACN: 082 081 472 ABN: 83 082 081 472 |  M:+61 416 022 411   | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068    |akm@theinternet.com.au| 
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Execute an arbitrary program as a child process?
    ... and the systemcall allows us access to their functionality. ... Saves a lot of reinventing the wheel. ... I'm looking for a way to execute an arbitrary program and watch ...
    (comp.unix.programmer)
  • Re: CopyFileDesktopToDevice
    ... I found problem that ceRapiUnInit could not execute. ... if rapi uninitialize, no problem occur when I try copy file to different ... device terminating application. ...
    (microsoft.public.pocketpc.developer)
  • Re: Click & drag a too-big page around in the browser window?
    ... >>> horizontal and vertical scroll bars to move the page around. ... >why would you restrict people to use IE??? ... >If you have a wheel mouse where the wheel acts as third button, ... I believe the wheel mouse is capable of "panning" only in a vertical ...
    (comp.lang.javascript)
  • umask for every user who belongs to a wheel group
    ... I want to give a setup of umask for every user who belongs to a wheel ... Then,I wrote the following scripts to the /etc/profile file. ...
    (comp.sys.mac.system)
  • Re: Invasion - Etype jag!!
    ... >> Just stuck on a picture of the back wheel on an E type Jag - for some ... > Belongs to the woman from It's Me Or The Dog - just seen the trailer. ...
    (uk.media.tv.misc)