Mailinglist Archive: opensuse-security (423 mails)

< Previous Next >
Re: [suse-security] su to root
  • From: Nix <suse@xxxxxxxxxxxxxxx>
  • Date: Thu, 22 Mar 2001 22:52:56 +1100
  • Message-id: <5.0.2.1.0.20010322224446.03589c78@xxxxxxxxxxxxxxxxxxxx>
At 09:47 PM 22/03/2001, you wrote:
> On Wed, Mar 21, 2001 at 05:31:30PM +0100, Sven Michels wrote:
> > Egan wrote:
> > >
> > > On my new SuSE 7.1 any user can su to root if they know the root
> > > password. I thought only members of group root could su to root, but
> > > now anybody can.
I think what he wants is the freebsd style su. Anyone can su to another
normal user but only members of group wheel ( read root ) can su to root.

When you execute harden_suse it sets up a system a little similar to the
what Open/Free BSD has. Except the group is called trusted and the
enforcement of who can su is done with file permissions and not pam.
If you wish to set it exactly the same as the BSD's then use the pam_wheel
module as previously discussed by others.

There are very good reasons to do defense in depth this way, there are cases
where in penetration tests we have compromised the root password (through
poor permissions of history files etc) but have been unable to su because of
wheel setup)
On my systems I allow only ssh certificate based logins (no passwords at all)
and also enforce the trusted group access. This means to compromise the
machine (assuming there are no buffer overflows etc) an attacker has to have
a copy of my ssh private certificate, (and know the rather long password it has
protecting it) as well as know the rather long root password. (I enable MD5 hashes
instead of DES so I can have longer passwords.. the doco for this is in
/usr/share/doc/packages/pam)
If there are any other users on the system they will not have su access.
If I need them to be able to do stuff, I give them access to sudo..

Cheers


---
Nix - nix@xxxxxxxxxxxxxxxx
http://www.susesecurity.com


< Previous Next >
Follow Ups
References