Date: Sat, 18 Dec 2004 17:35:35 -0800 (PST) From: Dave <mudman@metafocus.net> To: Craig Edwards <brain@winbot.co.uk> Cc: estover@nativenerds.com Subject: Re: Strange command histories in hacked shell history Message-ID: <20041218173044.K23128@metafocus.net> In-Reply-To: <41C41869.5040408@winbot.co.uk> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
> You could change the permissions on the su binary, so that only users in the wheel group can even > execute su. that way, when a non-wheel user attempts to su to a user in the wheel group, they simply > get permission denied. This is a really good idea. I decided to try it as root and chmod gave me chmod: su: Operation Not Permitted! The nerve! I'll have to have a look at that more carefully later :) As a side note, I think Bill's point about 2 passwords to break is pretty strong in my point of view. Just for simplicity's sake (in both security and in design), "the su stack" really shouldn't be any larger than 1. No su'ing twice, or N number of times. Hmm, I wonder if there is an option for setting that. I suppose someone might have a purpose to, but if they really need to be doing that, I think they have a problem in their own designs.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041218173044.K23128>