Re: Strange command histories in hacked shell history

From: Ed Stover (
Date: 12/18/04

  • Next message: Slawek: "Re: Strange command histories in hacked shell history"
    To: Elvedin Trnjanin <>,
    Date: Sat, 18 Dec 2004 00:14:39 -0700

    I like the idea of being able to allow certain users to ability to
    utilize one privileged task while not granting that user the ability to
    really do damage on a system. And yes I believe that a user will exist
    in wheel when he/she/it has the knowledge and skills needed for
    accountability. Yes (I sense it coming), I also believe that properly
    utilizing the user and group functions on a FreeBSD machine is really
    the way it should be done, but what fun can be had with out bells,
    whistles and nifty programs that do the thinking for us? Personally I
    don't trust to many to be in my wheel and my favorite practice is
    # chflags schg files

    bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"|
    wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024
    bash-3.00# su -l root
    bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd
    if=/dev/zero of=/var/testfile bs=1024 count=99999999&

    On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote:
    > Bill Vermillion wrote:
    > > I understand that after using Unix for about 2 decades.
    > >
    > >However in FreeBSD a user is supposed to be in the wheel group [if
    > >it exists] to be able to su to root.
    > >
    > >But if a person who is not in wheel su's to a user who is in wheel,
    > >then they can su to root - as the system sees them as the other
    > >user.
    > >
    > >This means that the 'wheel' security really is nothing more
    > >than a 2 password method to get to root.
    > >
    > >
    > >
    > Precisely. If you don't like this then the way around is to only allow
    > a
    > certain group access to su and none for everyone else.
    > >If the EUID of the orignal invoker is checked, even if they su'ed
    > >to a person in wheel, then they should not be able to su to root.
    > >
    > >I'm asking why is this permitted, or alternatively why is putting a
    > >user in the wheel group supposed to make things secure, when in
    > >reality it just makes it seem more secure - as there is only one
    > >more password to crack.
    > >
    > >
    > One more password to crack is more time which means a better chance
    > of
    > catching the cracker in the act. Although I don't know why exactly
    > the
    > authors of su did that the way they did but my first and best guess
    > would be convenience. The two password method is better than a new
    > login
    > session each time you want to get to root. Second best guess would be
    > is
    > that they didn't figure out that issue or at least think much of it.
    > --
    > ---
    > Elvedin Trnjanin

    _______________________________________________ mailing list
    To unsubscribe, send any mail to ""

  • Next message: Slawek: "Re: Strange command histories in hacked shell history"