From owner-freebsd-security Mon May 14 11: 9:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from maila.telia.com (maila.telia.com [194.22.194.231]) by hub.freebsd.org (Postfix) with ESMTP id 72CAD37B423 for ; Mon, 14 May 2001 11:09:33 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maila.telia.com (8.11.2/8.11.0) with ESMTP id f4EI9WZ14730 for ; Mon, 14 May 2001 20:09:32 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id UAA09696 for ; Mon, 14 May 2001 20:09:29 +0200 (CEST) Received: (qmail 32719 invoked by uid 1001); 14 May 2001 18:09:28 -0000 Date: Mon, 14 May 2001 20:09:28 +0200 From: Erik Trulsson To: Eric Anderson Cc: "Oulman, Jamie" , "'freebsd-security@freebsd.org'" Subject: Re: nfs mounts / su / yp Message-ID: <20010514200927.A32697@student.uu.se> Mail-Followup-To: Eric Anderson , "Oulman, Jamie" , "'freebsd-security@freebsd.org'" References: <3BF50BC1C2B5D411A06700508BD94D61016197AB@exchange2.iphrase.com> <3B0015E5.2E1AED1B@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B0015E5.2E1AED1B@centtech.com>; from anderson@centtech.com on Mon, May 14, 2001 at 12:29:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, May 14, 2001 at 12:29:09PM -0500, Eric Anderson wrote: > If a user reboots their machine, goes into single user mode, and changes > the local root password (and adds their username into the wheel group of > course), then boots into multiuser mode, they can su to root, then su to > any NIS user they desire, and do malicious things as that user. su'ing > from root to any other user never asks for a password, so login.conf > isn't used (right?).. > > Eric If a user can login as root or su to root then they can (almost by definition) do whatever they want. The solution is therefore to prevent users getting root access in the first place since once they get it it is too late to do anything about it. First of, all make sure that only people you trust are in the wheel group and know the root password. This will prevent other people from doing an su to root. If you edit /etc/ttys and mark the console as 'insecure' then the root password should be needed when going singleuser. This should stop people rebboting into singleuser mode. Just make sure that you don't forget the root password. To be totally secure you must also make sure that users cannot boot from any removable media. (floppys, CDROM, etc.) This will probably involve changing the BIOS settings to boot from HD before checking other devices. You also need to password protect the BIOS so that other people can't change the settings back again. If you are really paranoid you should also lock the computer cases so that nobody can change the HD or something similar. > > > "Oulman, Jamie" wrote: > > > > I dont know about su -> nis user restriction. But the only users in the > > wheel group should be able to su root. Also. Login.conf may be of some help. > > > > Cheers. > > > > -jamie > > > > -----Original Message----- > > From: Eric Anderson [mailto:anderson@centtech.com] > > Sent: Monday, May 14, 2001 9:13 AM > > To: freebsd-security@FreeBSD.ORG > > Subject: nfs mounts / su / yp > > > > I'm running FreeBSD client machines and mixed NFS servers. My clients > > nfs mount (or automount) the shares from the servers, and all are using > > NIS for login/password authentication. Home areas are NFS mounted > > also. My question is, if a user has (or gets) root on their desktop > > machine (FreeBSD 4.x), it allows them to su to any NIS user, and have > > access to anything as them, etc.. We often have users log in to other > > users machines, and change desks, etc. So I can't only allow one or two > > users to log in to a particular box (this would be a nightmare, as I > > have hundreds of machines to work with). It's more like an su > > restriction set that needs to be created. Like, only certain users can > > su to root.. and root can only su to the user that it originally su'd > > from, if any. I'm just curious what anyone else might be doign to solve > > this problem, since it allows users to do dangerous things as other > > users.. > > > > Thanks.. > > Eric > > -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message