understanding Su


From: "john huttley" <john@mwk.co.nz>
Subject: understanding Su
Date: Tue, 2 Jan 2001 07:58:36 +1300

Next Article (by Subject): Re: understanding Su Amon Ott
Previous Article (by Subject): Re: Understanding ACI Peter Busser
Top of Thread: Re: understanding Su Amon Ott
Next in Thread: Re: understanding Su Amon Ott
Articles sorted by: [Date] [Author] [Subject]


I'm still trying to understand the implications of su.

root can su to any user without a password. This includes secoff -- which
gives admin rights.

Thus root cannot be limited by secoff. Examples i've seen of making passwd
readonly etc
wont achieve anything because root can remove the security as easily as
secoff installed it.

> > Does su have to be AUTH'd for setuid?
>
> Yes, of course. If not, root could work as any user, e.g. user secoff/400.
> I do not trust root any further than I have to.

This seems to mean that su is not AUTH'd for setuid but is authed by
capability
for each UID individually.

How do you set up  su?


> >
> > Programs such as  atd and crond drop privs on startup.
> >
> > It seems that they also want to re-acquire root privs to run scripts on
> > behalf
> > of users. Does this mean that they have to be AUTH'd for setuid?
>
> Yes. You sure want to control what user atd can execute commands for.

Considering this and su and ftpd and telnetd and ...., is there any way of
using
AUTH to allow them the capability of any UID >= 500 (example) without having
to enumerate
them??



Several daemons want to setuid to -2 (that very large number). Are there any
implications
in allowing them to do so?


Regards

John


-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Subject): Re: understanding Su Amon Ott
Previous Article (by Subject): Re: Understanding ACI Peter Busser
Top of Thread: Re: understanding Su Amon Ott
Next in Thread: Re: understanding Su Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.