Date: Wed, 27 Mar 2002 17:04:28 +0000 From: Ceri <setantae@submonkey.net> To: Andrew Kenneth Milton <akm@theinternet.com.au> Cc: Damien Palmer <dpalmer@northwestern.edu>, security@FreeBSD.ORG Subject: Re: Question on su / possible hole Message-ID: <20020327170428.GB62360@submonkey.net> In-Reply-To: <20020328025722.J40004@zeus.theinternet.com.au> References: <20020327142432.GB30556@wjv.com> <20020327140006.GA30556@wjv.com> <20020328000329.E40004@zeus.theinternet.com.au> <20020327142432.GB30556@wjv.com> <20020328003506.F40004@zeus.theinternet.com.au> <5.1.0.14.2.20020327103848.00acb498@casbah.it.northwestern.edu> <20020328024827.I40004@zeus.theinternet.com.au> <20020327165335.GA61997@submonkey.net> <20020328025722.J40004@zeus.theinternet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 02:57:22AM +1000, Andrew Kenneth Milton wrote: > +-------[ Ceri ]---------------------- > | On Thu, Mar 28, 2002 at 02:48:27AM +1000, Andrew Kenneth Milton wrote: > | > +-------[ Damien Palmer ]---------------------- > | > | At 12:35 AM 3/28/2002 +1000, Andrew Kenneth Milton wrote: > | > | >So remove world execute access from su, make an su-users group and chgrp > | > | >su with that group ? > | > | > | > | Since su already belongs to the wheel group, and we are trying to restrict > | > | su access to people in the wheel group, wouldn't it be simpler to just > | > | chmod the command, so only the owner and the group have executable > | > | permissions on it, and leave it in the wheel group? Or is there another > | > | reasoning behind creating a new group that I am not seeing? > | > > | > Neatness? > | > | If only wheel has execute access on su, then only people in wheel can su. > | Note that anyone can use su, they just can't su to root if they're not in > | wheel. > | > | Creating a new group wouldn't work anyway. > | su explicitly checks that the user calling it is in a group > | with gid=0, otherwise known as wheel. > > New group is to restrict hopping from noWheelUser1 -> wheelUser2 -> root > > if noWheelUser1 can't execute su they can't get to wheelUser2 Oh right. Sorry. Tune in next week to see if I can manage to read an entire thread :) Ceri -- keep a mild groove on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020327170428.GB62360>