I do realise that, however setting "wheel group" security option to /etc/pam.d/su has always been considered enough. For years. Until the USERMODE port, supposed to make the authentication process EASIER, has made the whole system vulnerable. Why should I know that system-config-users has opened a security hole? I had never used this app, it has been installed by default. And not even a little notice ever appeared that "a new application has been developed! it does not require a user to be in wheel group to gain root privs! do not tell you sysadmin about this though!" ----- Original Message ----- From: Ben Stringer <ben@xxxxxxxxxxx> To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx> Subject: Re: SU vulnerability Date: Friday 09 December 2005 14:13 >On Fri, 2005-12-09 at 11:59 +0500, Sergey wrote: >> Long time ago I decided to protect my system by allowing *ONLY* users in >> wheel group to su to root. This allows to protect the system. Regardless >> where you know the root password or not - you can not su as long as system >> administrator does not put you into wheel group. >> >> As I know this is the default behaviour of FreeBSD. >> >> In redhat you do it by uncommenting line in /etc/pam.d/su >> >> # Uncomment the following line to require a user to be in the "wheel" >> group. auth required /lib/security/$ISA/pam_wheel.so use_uid >> >> This protects both su and kdesu. >> >> What do you think? This is useless - it does not protect the system at >> all, as I've thought for a long time. >> >> System-config-users utility - a little program to manage users has >> *NOTHING*, not even a little mention anywhere, that it breaks the >> security. > >So, add the same line to /etc/pam.d/system-config-users > >Otherwise, all you have done is to change the handling of security for >the "su" executable, nothing else. > >Cheers, Ben
