SU vulnerability
James Wilkinson
fedora at westexe.demon.co.uk
Fri Dec 9 07:49:28 UTC 2005
Sergey wrote:
> Long time ago I decided to protect my system by allowing *ONLY* users in wheel
> group to su to root. This allows to protect the system. Regardless where you
> know the root password or not - you can not su as long as system
> administrator does not put you into wheel group.
>
> As I know this is the default behaviour of FreeBSD.
<snip>
> System-config-users utility - a little program to manage users has *NOTHING*,
> not even a little mention anywhere, that it breaks the security.
>
> Anyone who knows the root password logs in as regular user, by ssh. Using X
> forward, executes system-config-users, enters the root password and does
> ANYTHING he wants to the system. In particular, he adds himself to wheel
> group and su's to root. While the system administrator sleeps well knowing
> that he can not su because he's not in wheel group
If you want something done about this, please raise a Request For
Enhancement against system-config-users in bugzilla.redhat.com. This
will bring it to the attention of the right person. At least you should
get a comment saying why they won't support wheel in s-c-u. At best it
will go on a list of Things To Fix.
If you can contribute a patch, then it's a lot more likely to get fixed.
Hope this helps,
James.
--
E-mail address: james | ... a sign carefully conveying in pictograms the fact
@westexe.demon.co.uk | that you should not leave wheelchairs on a certain
| river bank as they would roll down the hill and the
| crocs would eat the passenger. -- Skud
More information about the users
mailing list