Re: Strange command histories in hacked shell history

From: Ed Stover (estover_at_nativenerds.com)
Date: 12/18/04

  • Next message: Slawek: "Re: Strange command histories in hacked shell history"
    To: Elvedin Trnjanin <mnsan11@earthlink.net>, bv@wjv.com
    Date: Sat, 18 Dec 2004 00:14:39 -0700
    
    

    I like the idea of being able to allow certain users to ability to
    utilize one privileged task while not granting that user the ability to
    really do damage on a system. And yes I believe that a user will exist
    in wheel when he/she/it has the knowledge and skills needed for
    accountability. Yes (I sense it coming), I also believe that properly
    utilizing the user and group functions on a FreeBSD machine is really
    the way it should be done, but what fun can be had with out bells,
    whistles and nifty programs that do the thinking for us? Personally I
    don't trust to many to be in my wheel and my favorite practice is
    # chflags schg files

    bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"|
    wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024
    count=99999999&
    v.s.
    bash-3.00# su -l root
    bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd
    if=/dev/zero of=/var/testfile bs=1024 count=99999999&

    On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote:
    > Bill Vermillion wrote:
    >
    > > I understand that after using Unix for about 2 decades.
    > >
    > >However in FreeBSD a user is supposed to be in the wheel group [if
    > >it exists] to be able to su to root.
    > >
    > >But if a person who is not in wheel su's to a user who is in wheel,
    > >then they can su to root - as the system sees them as the other
    > >user.
    > >
    >
    > >This means that the 'wheel' security really is nothing more
    > >than a 2 password method to get to root.
    > >
    > >
    > >
    > Precisely. If you don't like this then the way around is to only allow
    > a
    > certain group access to su and none for everyone else.
    >
    > >If the EUID of the orignal invoker is checked, even if they su'ed
    > >to a person in wheel, then they should not be able to su to root.
    > >
    > >I'm asking why is this permitted, or alternatively why is putting a
    > >user in the wheel group supposed to make things secure, when in
    > >reality it just makes it seem more secure - as there is only one
    > >more password to crack.
    > >
    > >
    >
    > One more password to crack is more time which means a better chance
    > of
    > catching the cracker in the act. Although I don't know why exactly
    > the
    > authors of su did that the way they did but my first and best guess
    > would be convenience. The two password method is better than a new
    > login
    > session each time you want to get to root. Second best guess would be
    > is
    > that they didn't figure out that issue or at least think much of it.
    >
    > --
    > ---
    > Elvedin Trnjanin
    > http://www.ods.org

    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"


  • Next message: Slawek: "Re: Strange command histories in hacked shell history"