Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 3 Apr 2001 11:37:46 -0700
From:      "Jeremiah Gowdy" <data@irev.net>
To:        "Matthew Emmerton" <matt@gsicomp.on.ca>, "Kherry Zamore" <dknj@dknj.org>, <freebsd-stable@FreeBSD.ORG>
Cc:        <freebsd-security@FreeBSD.ORG>
Subject:   Re: su change?
Message-ID:  <002d01c0bc6d$2d558390$035778d8@sherline.net>
References:  <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

> > if (!chshell(pwd->pw_shell) && ruid)
> >     errx(1, "permission denied (shell).");
> >
> > The only thing we need to prepend to this is a check to see if we are
> trying
> > to su to root, which we should allow regardless of the shell specified:
>
> I disagree.  The root account is an account that needs to have the highest
> number of security checks present.

Then make a point as to why root, when not having a valid shell, not being
able to log in is a useful security check in any way shape or form.  So
people can change root's shell to something invalid when they want to lock
the root account ?  That's nonsensical.  If root doesn't have a valid shell,
something is broken.  If someone gets to that stage in the code for su, they
already have an account in wheel, and the root password.  You're saying that
in the situation in which someone has an account in wheel and the root
password, but root's shell is invalid, access should be denied ?  I fail to
see the security value in this.

I support the code patch, while it's value is minimal, the behavior is not
unreasonable or insecure.

> Just consider your friend lucky - doing similar things to the root account
> on any enterprise UNIX (UnixWare, Solaris, AIX) could require a complete
> reinstall - especially if it's running C2-level security.

Sigh.  I won't bother arguing this.  I think some else has.




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002d01c0bc6d$2d558390$035778d8>