Re: SU vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I do realise that, however setting "wheel group" security option 
to /etc/pam.d/su has always been considered enough. For years. Until the 
USERMODE port, supposed to make the authentication process EASIER, has made 
the whole system vulnerable.

Why should I know that system-config-users has opened a security hole? I had 
never used this app, it has been installed by default. And not even a little 
notice ever appeared that "a new application has been developed! it does not 
require a user to be in wheel group to gain root privs! do not tell you 
sysadmin about this though!"

----- Original Message -----
From: Ben Stringer <ben@xxxxxxxxxxx>
To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
Subject: Re: SU vulnerability
Date: Friday 09 December 2005 14:13

>On Fri, 2005-12-09 at 11:59 +0500, Sergey wrote:
>> Long time ago I decided to protect my system by allowing *ONLY* users in
>> wheel group to su to root. This allows to protect the system. Regardless
>> where you know the root password or not - you can not su as long as system
>> administrator does not put you into wheel group.
>>
>> As I know this is the default behaviour of FreeBSD.
>>
>> In redhat you do it by uncommenting line in /etc/pam.d/su
>>
>> # Uncomment the following line to require a user to be in the "wheel"
>> group. auth       required     /lib/security/$ISA/pam_wheel.so use_uid
>>
>> This protects both su and kdesu.
>>
>> What do you think? This is useless - it does not protect the system at
>> all, as I've thought for a long time.
>>
>> System-config-users utility - a little program to manage users has
>> *NOTHING*, not even a little mention anywhere, that it breaks the
>> security.
>
>So, add the same line to /etc/pam.d/system-config-users
>
>Otherwise, all you have done is to change the handling of security for
>the "su" executable, nothing else.
>
>Cheers, Ben


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux