From owner-freebsd-security@FreeBSD.ORG Sat Dec 18 11:39:05 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74A3816A4CE for ; Sat, 18 Dec 2004 11:39:05 +0000 (GMT) Received: from mail.telsatgp.com.pl (pa79.pleszew.sdi.tpnet.pl [217.96.180.79]) by mx1.FreeBSD.org (Postfix) with SMTP id 65B3143D41 for ; Sat, 18 Dec 2004 11:39:03 +0000 (GMT) (envelope-from sgp@telsatgp.com.pl) Received: (qmail 50931 invoked from network); 18 Dec 2004 11:39:24 -0000 Received: from slawek.telsatgp.com.pl (HELO Slawek) (sgp@192.168.5.5) by pa79.pleszew.sdi.tpnet.pl with SMTP; 18 Dec 2004 11:39:24 -0000 Message-ID: <014a01c4e4f6$2ed05730$0505a8c0@Slawek> From: "Slawek" To: , References: <20041217120138.7A89116A4D2@hub.freebsd.org><20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> Date: Sat, 18 Dec 2004 12:39:06 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1478 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 FL-Build: Fidolook 2002 (SL) 6.0.2800.86 - 14/6/2003 22:16:25 X-Organisation: Telsat GP Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Dec 2004 11:39:05 -0000 Hello! In message to sent Fri, 17 Dec 2004 21:25:56 -0500 you wrote: BV> I understand that after using Unix for about 2 decades. BV> However in FreeBSD a user is supposed to be in the wheel group [if BV> it exists] to be able to su to root. BV> But if a person who is not in wheel su's to a user who is in wheel, BV> then they can su to root - as the system sees them as the other BV> user. This means that the 'wheel' security really is nothing more BV> than a 2 password method to get to root. BV> If the EUID of the orignal invoker is checked, even if they su'ed BV> to a person in wheel, then they should not be able to su to root. You can block access to su for untrusted users. Although keep in mind that attackers would still be able to log in to cracked wheel UID using ssh and then su to root - it still doesn't need anything more that the same two passwords. You can disable password logins for wheel UIDs at all and log in using certificates. -- Slawomir Piotrowski