From owner-freebsd-stable Tue Apr 3 15:37:15 2001 Delivered-To: freebsd-stable@freebsd.org Received: from xena.gsicomp.on.ca (cr677933-a.ktchnr1.on.wave.home.com [24.43.230.149]) by hub.freebsd.org (Postfix) with ESMTP id 05B3337B71A; Tue, 3 Apr 2001 15:37:08 -0700 (PDT) (envelope-from matt@gsicomp.on.ca) Received: from hermes (hermes.gsicomp.on.ca [192.168.0.18]) by xena.gsicomp.on.ca (8.11.1/8.11.3) with SMTP id f33MYnR04124; Tue, 3 Apr 2001 18:34:56 -0400 (EDT) (envelope-from matt@gsicomp.on.ca) Message-ID: <009001c0bc8e$a1eb6370$1200a8c0@gsicomp.on.ca> From: "Matthew Emmerton" To: "Jeremiah Gowdy" , "Kherry Zamore" , Cc: References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> <002d01c0bc6d$2d558390$035778d8@sherline.net> Subject: Re: su change? Date: Tue, 3 Apr 2001 18:37:01 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > > if (!chshell(pwd->pw_shell) && ruid) > > > errx(1, "permission denied (shell)."); > > > > > > The only thing we need to prepend to this is a check to see if we are > > trying > > > to su to root, which we should allow regardless of the shell specified: > > > > I disagree. The root account is an account that needs to have the highest > > number of security checks present. > > Then make a point as to why root, when not having a valid shell, not being > able to log in is a useful security check in any way shape or form. So > people can change root's shell to something invalid when they want to lock > the root account ? That's nonsensical. Last time I checked, only root had write access to /etc/master.passwd and /etc/shells, so only someone who hacked root could change root's shell to something invalid. (Note that I'm not handling the case of where an administrator does something stupid.) gabby# ls -al /etc/shells /etc/master.passwd -rw-r--r- 1 root wheel 223 Jul 28 2000 /etc/shells -rw------ 1 root wheel 1423 mar 18 14:10 /etc/master.passwd gabby# If someone happens to change root's shell, then the security of the machine has been breached in some way. The immediate consequence is that root can't log in. If you (the administrator) notices that you can't log in as root anymore, then it's a really big clue that something major is wrong, and would neccessitate taking the machine out of multi-user mode ASAP to perform the investigation and fix things up. Furthermore, if taking the machine down to single-user mode is a real big problem (because it's a production machine or something equally important), then the fact that someone's compromised root makes taking the machine down a very reasonable thing to do. The lesson? Don't screw with production machines unless you know the consequences of your actions, and if you must screw around, make sure you're using the appropriate tools (vipw, chsh, etc) to ensure that your changes are valid. -- Matt Emmerton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message