Re: nis : how to avoid user1 becoming user2 using local root ?

• Previous message: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Maybe in reply to: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Next in thread: Mike Hogsett: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Mar 2004 10:24:35 -0800
To: phaser-X <px@zeroday.net>

> I have the same problem at my office and I found a simple solution that is
> very unsecure and can easily be fixed since the user is allowed root on
> their workstations, but they also must have an understanding of PAM.
> Basically, just edit /etc/pam.d/su and comment out (or remove) the line
> that says "auth sufficient /lib/security/pam_rootok.so" .. This
> way if the user becomes root locally, and then tries to 'su' to another
> user, it will require root to enter that users password in order to change
> to that user. Again, if the user has an understanding of PAM, they can
> easily fix and be able to 'su' again.

But they need not use su at all, they could compile their own su-like
program, or do anything that does a suid, for example

        perl -e '$> = $< = 100; exec "/bin/bash"'

Assuming the target uid is 100, you're set. (You can setgid using $(
and $) as well.)

As meantioned, kernel 2.6 supports NFSv4, which has much better
security. But smbmount is still an option as well. For example
give them the ability to run 'sudo mount /my/samba/share' where
this is the entry in /etc/fstab:

   //sambaserver/sharename /my/samba/share \
      smbfs //user,username=SAMBAUSERNAME,uid=USERNAME,gid=GROUPID,noauto \
      0 0

Replace capitals as appropriate. The mount will require their password for
the samba share, and so all read/write acls are done as that user on the
server. Now this does mean that if multiple people have root on this box,
anyone can access //sambaserver/sharename as the user who has it
mounted. However no one, including the mounting party, could access it
as any other arbitrary user.

--
Brian Hatch                  "I believe it."
   Systems and               "If Entil'Zha believes it, I believe it."
   Security Engineer         "I'll be in the car."
http://www.ifokr.org/bri/
Every message PGP signed

• application/pgp-signature attachment: Digital signature

• Previous message: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Maybe in reply to: Frank Burkhardt: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Next in thread: Mike Hogsett: "Re: nis : how to avoid user1 becoming user2 using local root ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]