| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 5/24 |
| 1999/11/23-26 [Computer/SW/Unix] UID:16942 Activity:high |
11/23 In linux, how do you prevent non-wheel users from su'ing to root.
This seems to be default in most unixes.
\_ If you want the fascist BSD behavior, hack the GNU 'su'
source; GNU 'su' from sh-utils doesn't support 'wheel' because
RMS doesn't believe in group 'wheel'. (Read the documentation
if you don't believe me...) Or, install the shadow password
suite from ftp://ftp.ists.pwr.wroc.pl/pub/linux/shadow/, which
may be more your style. -brg
\_ RMS is a freak. The spread of the internet worm in the late 80s
was partly a result of his idiotic rms:rms account:pw bullshit.
\_ Geeze.. install a real unix, not a "unix-like" OS. If you want
unix power, install it. Don't try to pervert your toy into it.
Or you could do what all the fanatics are talking about: you have
the source; rewrite it. That's the point of Linux, isn't it?
\_ http://www.openbsd.org says ..
The OpenBSD project produces a FREE, multi-platform 4.4BSD-based
UNIX-like operating system. So *BSD is not real unix either.
^^^^^^^^^
We all should get a copy of sysvr4 to run real unix :p
\_ That's only a legalism. openbsd is the real thing. Linux
is a wannabe.
\_ What defines something a real UNIX and something not a real UNIX?
\_ OpenBSD has to say that because legally, only an OS
certified by The Open Group (http://www.opengroup.org can be
called UNIX(tm).
\_ But OpenBSD, like all BSD's, actually have a real
ancestral roots in ATT Unix. Even though they now
are now unencumbered from ATT source (gogo USL lawsuit)
the heritage is there. Notice that you can buy a
personal Unix license which lets you get a copy of
all the Unix source including earlier BSD's from
McKusick.
\_ Many real UNIX'es don't restrict who can su root - it's a BSDism
that SysV didn't pick up. The real answer - don't give them the
root password and they can't su.
\_ Fuck SysV. I always hated SysV. SysV is lamer unix.
\_ "chgrp wheel /bin/su;chmod 4750 /bin/su"?
\_ Hey, an answer to the question, amazing. As for the guy who
said "don't giv them the password," Remind me not to put you
in charge of security on my network. Brute force works
awfully well on these new uber-fast computers.
\_ If you think su blocking will keep them out, you shouldn't
be in charge of security anywhere. If you ignore the
thousands of "su failed" messages that a brute force would
display, it's your fault.
\_ not to mention if you pick a real root password noone
is going to brute force it. Especially because su
almost definatly includes a delay if the person typed
in the password wrong.
\_ That delay is really going to slow me down with
my N su's all running in parallel.
\_ yes it is. Are you really this dumb?
\_ Process limits are easy to get around. Or did
you have somthing else in mind? What protects
you is chosing a strong password, not some
silly one-second delay.
\_ 1) What part of "real root password" don't
you understand?
\_ No such thing. Anything can be brute
forced.
\_ Assume the root password changes
once every 5 years. Remember the
assumption is the root password
is not one that a nice crack
heuristic can guess. The
problem.
password space is BIG.
2) Running out of machine resources on the
other hand is not easy to get around.
\_ You know that the pw failed as soon as
su doesn't give you a prompt. So SIGKILL
it then. No delay, no resource limit, no
problem. The point is that su's delay
doesn't get you any benefit in and of
itself. You can get it down to where it
takes hardly any more resources than it
would without the delay.
\_ actually they do the delay even
if you choose the right password.
But even if they didn't you would
a significant amount of time
(compared to the amount of time a
crack takes) just to know the test
had failed. Even if it was a few
mircoseconds that adds up QUICK.
OH and umm, starting up that new
su process is EXPENSIVE compared to
the password check.
Do you have any idea how many attempts
you need to do to brute force a password?
\_ Doesn't matter. Got time. Some OS's
even let me read the pw file. I can
copy it elsewhere. If I have physical
access to anything, you're totally
doomed.
\_ this person wasn't asking about
shadow passwords. The issue was
su being a security hole. Not
/etc/passwd.
And a few more points...
If you are so stupid you think
anyone being able to su as root
is a security hole cause they can
use it to crack root by a brute
force attack, well guess what,
they can jsut brute force the
account of someone who has wheel
and then brute force the root
password from that account.
You obviously are some pathetic
fool who knows only enough to
be dangerous.
The dangers of letting anyone su
to root are along the lines of
person x knows the root password
somehow. (Either was told,
looked over someone's shoulder,
sniffed it cause some fool
used the root password over an
insecure net, etc.) It gives you
a minor level of security in those
cases. However there are much
more dangerous things to worry
about.
\_ If someone can brute force the password, why would he even
bother to su to root? He'll just simply login as root.
\_ not if remote root logins are disabled.
\_ I don't let my users login.
\_ *cheer*! --BOFH
\_ I figure it's safest that way. I print their email and
leave it in their inbox via in-house courier/mailboy. They
use the phone to call anyone back. WebTV for browsing.
\_ Take it to a fucking security newsgroup. |
| 5/24 |
|
| www.openbsd.org Our efforts emphasize portability, standardization, correctness, 45 proactive security and 46 integrated cryptography. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX. OpenBSD is freely available from our FTP sites, and also available in an inexpensive 3-CD set. The project funds development and releases by selling 49 CDs and 50 T-shirts, as well as receiving donations. Mirrors, by country: 54 AT 55 AU 56 BE 57 BE 58 BR 59 BR 60 BR 61 CA 62 CA 63 CA 64 CH 65 CZ 66 DE 67 DE 68 DE 69 DE 70 DK 71 GR 72 HU 73 ID 74 ID 75 IE 76 IT 77 IT 78 JP 79 MY 80 NO 81 PL 82 PL 83 PT 84 PT 85 SI 86 TR 87 TW 88 UA 89 UK 90 US 91 US 92 US 93 YU This site Copyright 1996-2004 OpenBSD. |
| www.opengroup.org Certification 10 Certified Products 11 Testing 12 Consortia Services 13 Research 14 Software 15 Publications 16 Events 17 Forums 18 Regional Chapters 19 Membership Boundaryless Information Flow 20 Vision | 21 Context Interoperability 22 Pledge | 23 Importance Our sponsors 24 Sponsors of The Open Group Executives Agree that Interoperability, Deperimeterization of Data and Horizontal Integration Are Essential At The Open Group's Spring 2004 conference, Boundaryless Information Flow(TM): Managing the Flow, industry and government executives discussed the challenges of information management, and emphasized the need for pervasive interoperability and a holistic approach. With the continuous pressure on producing results, forward looking organizations want to address the whole life cycle of information management. Allen puts Open Source in the context of CIOs challenges and looks at what Open Source is, a tool of Boundaryless Information Flow. He emphasizes that to maximize the value of Open Source, it needs to conform to standards. Based on the DISA Cross Platform Compliance criteria for Linux systems, the program provides assurance that conforming systems provide services to COE applications software through conforming APIs, and meet a set of interoperability, data interchange and security requirements. Clients include mobile telephone handsets, mobile data clients without voice capability, and software products that provide WAP browsing capabilities to mobile data clients such as wireless enabled PDAs. The program, with its flexible start and 90-days duration, enables thorough testing and provides assurance of compliance without significantly extending time-to-market. |