From owner-freebsd-security@FreeBSD.ORG Sun Dec 19 09:51:23 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94C3716A4CE for ; Sun, 19 Dec 2004 09:51:23 +0000 (GMT) Received: from publicd.ub.mng.net (publicd.ub.mng.net [202.179.0.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A4BB43D3F for ; Sun, 19 Dec 2004 09:51:22 +0000 (GMT) (envelope-from ganbold@micom.mng.net) Received: from [202.179.0.164] (helo=ganbold.micom.mng.net) by publicd.ub.mng.net with esmtpa (Exim 4.43 (FreeBSD)) id 1Cfxks-000G8u-9Y; Sun, 19 Dec 2004 17:53:34 +0800 Message-Id: <6.2.0.14.2.20041219174654.051f1250@202.179.0.80> X-Mailer: QUALCOMM Windows Eudora Version 6.2.0.14 Date: Sun, 19 Dec 2004 17:51:02 +0800 To: Dave From: Ganbold In-Reply-To: <20041218173044.K23128@metafocus.net> References: <20041217120138.7A89116A4D2@hub.freebsd.org> <20041217145315.GB68582@wjv.com> <41C391BE.3030604@earthlink.net> <20041218022556.GA85192@wjv.com> <1103354079.16723.6.camel@red.nativenerds.com> <41C41869.5040408@winbot.co.uk> <20041218173044.K23128@metafocus.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: freebsd-security@freebsd.org Subject: Re: Strange command histories in hacked shell history X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Dec 2004 09:51:23 -0000 At 09:35 AM 12/19/2004, you wrote: > > You could change the permissions on the su binary, so that only users > in the wheel group can even > > execute su. that way, when a non-wheel user attempts to su to a user in > the wheel group, they simply > > get permission denied. > >This is a really good idea. I decided to try it as root and chmod gave me >chmod: su: Operation Not Permitted! The nerve! I'll have to have a look >at that more carefully later :) Yes, I like this idea too. I'll try it for sure. >As a side note, I think Bill's point about 2 passwords to break is pretty >strong in my point of view. Just for simplicity's sake (in both security >and in design), "the su stack" really shouldn't be any larger than 1. No >su'ing twice, or N number of times. That could be useful option too. >Hmm, I wonder if there is an option >for setting that. I suppose someone might have a purpose to, but if they >really need to be doing that, I think they have a problem in their own >designs. Anyway, thanks for all who read my annoying email and responded :) Still I don't know yet how hacker got into the system, but I'll try my best and I hope I will find more in hacked PC in next couple of days. thanks a lot, Ganbold >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"