Great Circle Associates Firewalls
(August 1994) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: SKEY on a BSDI machine
From: jsz @ ramon . bgu . ac . il (jsz)
Date: Fri, 5 Aug 94 23:51:03 IDT
To: jc @ shadow . net (Justin)
Cc: huntting @ csn . org, cbk @ magna . telco . com, firewalls @ greatcircle . com
In-reply-to: <Pine . 3 . 89 . 9408051449 . A29038-0100000 @ anshar . shadow . net>; from "Justin" at Aug 5, 94 2:26 pm 
> 
> > 
> > What I did was to "chown 500 /usr/bin/su" (making it harmless), and to
> > install the skey "su" program as "/usr/local/bin/keysu" (modulo
> > personal preference).  Skey's "su" doesn't let root su to other users
> > w/o authentication.
> > 
> 
> What's the point of that?  As root you can simply:
> 
> seteuid(0);
> execl("/bin/sh", "-i", (char *)0);
> 
> root shouldn't need authentication via su for other UIDs, it only makes 
> it a slight hassle to perform normal system administration functions on 
> user's directories.
> 

 Well, the point here is, if somehow someone snooped a root password or
 somehow found out root password, he can't become root using su(1), but
 then you may want to make sure you have "secure-ttys" turned on, and
 root can't ftp in. 


Cheers,

--- J
References:
Indexed By Date Previous: Re: SKEY on a BSDI machine
From: Brad Huntting <huntting @ csn . org>
Next: Security course annoucement
From: George Boyce <george @ csteam . com>
Indexed By Thread Previous: Re: SKEY on a BSDI machine
From: Brad Huntting <huntting @ csn . org>
Next: Re: SKEY on a BSDI machine
From: "Mark R. Ludwig" <Mark-Ludwig @ uai . com>
Google
 
Search Internet Search www.greatcircle.com