Re: [Full-Disclosure] Partial Solution to SUID Problems
To: Michal Zalewski <email@example.com> Date: Sat, 06 Dec 2003 19:31:32 -0500
On Sat, 06 Dec 2003 19:07:54 +0100, Michal Zalewski said:
> time, which is doubtful. The only use of 'su' is when you believe the old
> and silly rule not to allow direct root logins... but the rule is of very
> little value - it does not truly make any kind of attack more difficult or
> less likely to succeed, and having an extra setuid program (a fairly
> complex one, and with several vulnerabilities in the past) is a high price
> to pay.
Sometimes, old and silly rules aren't just about security.
The *real* reason for the "always su from a user account" rule isn't to stop
exploits. It's so you have an audit trail of who did what.
Quite often in a large shop, you'll have 5 or 6 people who have legitimate root
access to a box. Now, no sysadmin is perfect, so somebody *will* screw up
eventually. So you're sitting there at 2AM trying to fix something, and find
that somebody started changing something, got halfway through, didn't update
the Changelog file, and you have no idea what the other half of the change is
supposed to be (or even perhaps which half of the change can be backed out).
(And yes, I've seen it happen. No matter how dedicated the sysadmin, if the
phone rings and they find out their kid fell out of a tree and broke their arm,
that change won't get completed or documented - they're out the door and on the
way to the hospital).
If everybody logs in as root directly, you get to call all 5 other people and
hope the first one or two know what's going on.
If everybody logs in as themselves, and then su's, you can say "Hey, Charlie
logged in at 14:08, and su'ed at 14:10, and the file got changed at 14:15. He's
probably the one we need to wake up".
Full-Disclosure - We believe in it.
- application/pgp-signature attachment: stored