lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Partial Solution to SUID Problems 

On Sat, 06 Dec 2003 19:07:54 +0100, Michal Zalewski said:

> time, which is doubtful. The only use of 'su' is when you believe the old
> and silly rule not to allow direct root logins... but the rule is of very
> little value - it does not truly make any kind of attack more difficult or
> less likely to succeed, and having an extra setuid program (a fairly
> complex one, and with several vulnerabilities in the past) is a high price
> to pay.

Sometimes, old and silly rules aren't just about security.

The *real* reason for the "always su from a user account" rule isn't to stop
exploits.  It's so you have an audit trail of who did what.

Quite often in a large shop, you'll have 5 or 6 people who have legitimate root
access to a box.  Now, no sysadmin is perfect, so somebody *will* screw up
eventually.   So you're sitting there at 2AM trying to fix something, and find
that somebody started changing something, got halfway through, didn't update
the Changelog file, and you have no idea what the other half of the change is
supposed to be (or even perhaps which half of the change can be backed out).
(And yes, I've seen it happen.  No matter how dedicated the sysadmin, if the
phone rings and they find out their kid fell out of a tree and broke their arm,
that change won't get completed or documented - they're out the door and on the
way to the hospital).

If everybody logs in as root directly, you get to call all 5 other people and
hope the first one or two know what's going on.

If everybody logs in as themselves, and then su's, you can say "Hey, Charlie
logged in at 14:08, and su'ed at 14:10, and the file got changed at 14:15. He's
probably the one we need to wake up".

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031206/02a8abfc/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ