Date: Mon, 14 May 2001 12:26:50 -0700 From: Alfred Perlstein <bright@wintelcom.net> To: "'freebsd-security@freebsd.org'" <freebsd-security@FreeBSD.ORG> Subject: Re: nfs mounts / su / yp Message-ID: <20010514122650.T18676@fw.wintelcom.net> In-Reply-To: <3B002E2B.1337F4C9@lmc.ericsson.se>; from Antoine.Beaupre@ericsson.ca on Mon, May 14, 2001 at 03:12:43PM -0400 References: <20010514200927.A32697@student.uu.se> <Pine.WNT.4.10.10105141416260.-559341@rosencrantz.east.isi.edu> <20010514204259.A33451@student.uu.se> <3B00295D.24643CD7@centtech.com> <3B002E2B.1337F4C9@lmc.ericsson.se>
next in thread | previous in thread | raw e-mail | index | archive | help
* Antoine Beaupre (LMC) <Antoine.Beaupre@ericsson.ca> [010514 12:20] wrote: > [cc's trimmed] > > Eric Anderson wrote: > > > > Well, I think the problem is that a local root should mean only local > > root access, and su should not allow you to su to non-local users (ie, > > NIS users). > > That policy (local-only su) if implemented on a machine, can be > circumvented when the user gets root access. > > Heck, the user can even install another system that *doesn't have* that > policy. > > > The problem is simply how do you stop root from su'ing to > > another user? > > You can't. Once the user has root, he can reinstall a complete system, > bypassing any *local* policy you might have. You can't keep root from > doing *anything* by definition. I think there has been a few threads > regarding this on this list. This might be seen as a UNIX design flaw > but I certainly disagree. Anyways, that is not the issue here. FreeBSD has securelevels, while not ideal, if implemented properly they can limit what root can do. -- -Alfred Perlstein - [alfred@freebsd.org] http://www.egr.unlv.edu/~slumos/on-netbsd.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010514122650.T18676>