Re: Question on su / possible hole

From: Ceri (setantae@submonkey.net)
Date: 03/27/02


Date: Wed, 27 Mar 2002 17:04:28 +0000
From: Ceri <setantae@submonkey.net>
To: Andrew Kenneth Milton <akm@theinternet.com.au>

On Thu, Mar 28, 2002 at 02:57:22AM +1000, Andrew Kenneth Milton wrote:
> +-------[ Ceri ]----------------------
> | On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote:
> | > +-------[ Damien Palmer ]----------------------
> | > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote:
> | > | >So remove world execute access from su, make an su-users group and chgrp
> | > | >su with that group ?
> | > |
> | > | Since su already belongs to the wheel group, and we are trying to restrict
> | > | su access to people in the wheel group, wouldn't it be simpler to just
> | > | chmod the command, so only the owner and the group have executable
> | > | permissions on it, and leave it in the wheel group? Or is there another
> | > | reasoning behind creating a new group that I am not seeing?
> | >
> | > Neatness?
> |
> | If only wheel has execute access on su, then only people in wheel can su.
> | Note that anyone can use su, they just can't su to root if they're not in
> | wheel.
> |
> | Creating a new group wouldn't work anyway.
> | su explicitly checks that the user calling it is in a group
> | with gid=0, otherwise known as wheel.
>
> New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root
>
> if noWheelUser1 can't execute su they can't get to wheelUser2

Oh right. Sorry.
Tune in next week to see if I can manage to read an entire thread :)

Ceri

-- 
keep a mild groove on
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message