At 09:47 PM 22/03/2001, you wrote:
On Wed, Mar 21, 2001 at 05:31:30PM +0100, Sven Michels wrote:
Egan wrote:
On my new SuSE 7.1 any user can su to root if they know the root password. I thought only members of group root could su to root, but now anybody can.
I think what he wants is the freebsd style su. Anyone can su to another normal user but only members of group wheel ( read root ) can su to root.
When you execute harden_suse it sets up a system a little similar to the what Open/Free BSD has. Except the group is called trusted and the enforcement of who can su is done with file permissions and not pam. If you wish to set it exactly the same as the BSD's then use the pam_wheel module as previously discussed by others. There are very good reasons to do defense in depth this way, there are cases where in penetration tests we have compromised the root password (through poor permissions of history files etc) but have been unable to su because of wheel setup) On my systems I allow only ssh certificate based logins (no passwords at all) and also enforce the trusted group access. This means to compromise the machine (assuming there are no buffer overflows etc) an attacker has to have a copy of my ssh private certificate, (and know the rather long password it has protecting it) as well as know the rather long root password. (I enable MD5 hashes instead of DES so I can have longer passwords.. the doco for this is in /usr/share/doc/packages/pam) If there are any other users on the system they will not have su access. If I need them to be able to do stuff, I give them access to sudo.. Cheers --- Nix - nix@susesecurity.com http://www.susesecurity.com