Re: [Full-Disclosure] Partial Solution to SUID Problems

Valdis.Kletnieks_at_vt.edu
Date: 12/07/03

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Partial Solution to SUID Problems"
    To: Michal Zalewski <lcamtuf@ghettot.org>
    Date: Sat, 06 Dec 2003 19:31:32 -0500
    
    
    

    On Sat, 06 Dec 2003 19:07:54 +0100, Michal Zalewski said:

    > time, which is doubtful. The only use of 'su' is when you believe the old
    > and silly rule not to allow direct root logins... but the rule is of very
    > little value - it does not truly make any kind of attack more difficult or
    > less likely to succeed, and having an extra setuid program (a fairly
    > complex one, and with several vulnerabilities in the past) is a high price
    > to pay.

    Sometimes, old and silly rules aren't just about security.

    The *real* reason for the "always su from a user account" rule isn't to stop
    exploits. It's so you have an audit trail of who did what.

    Quite often in a large shop, you'll have 5 or 6 people who have legitimate root
    access to a box. Now, no sysadmin is perfect, so somebody *will* screw up
    eventually. So you're sitting there at 2AM trying to fix something, and find
    that somebody started changing something, got halfway through, didn't update
    the Changelog file, and you have no idea what the other half of the change is
    supposed to be (or even perhaps which half of the change can be backed out).
    (And yes, I've seen it happen. No matter how dedicated the sysadmin, if the
    phone rings and they find out their kid fell out of a tree and broke their arm,
    that change won't get completed or documented - they're out the door and on the
    way to the hospital).

    If everybody logs in as root directly, you get to call all 5 other people and
    hope the first one or two know what's going on.

    If everybody logs in as themselves, and then su's, you can say "Hey, Charlie
    logged in at 14:08, and su'ed at 14:10, and the file got changed at 14:15. He's
    probably the one we need to wake up".

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html



  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Partial Solution to SUID Problems"