jasmerb@mist.cs.orst.edu (Bryce Jasmer) (02/21/89)
For all of you who have installed su2 on your NeXT machines, I would like to warn you that anyone who is in the group "staff" will be able to become a super-user with the current configuration. This happens because of several permissions that are set in the original setup. 1) daily, weekly, and monthly scripts are staff writeable. 2) daily, weekly, and monthly scripts are run by root. This allows someone in "staff" to write a little script at the end of daily, weekly, or monthly that can do anything as root. (Add himself to the super-user list with su2 installed, create new users, rm -r /, etc, etc.) So, either change the scripts to root writeable only, or limit those on staff to those who you would want to be a super-user anyway. I would suggest just changing the permissions on the scripts because there are several times when it useful to have someone on staff but not be a super- user. ------------------------------------------------------------------------------ Bryce Jasmer | c/o Support Staff | Internet email: jasmerb@cs.orst.edu Computer Science Dept. | Oregon State University | NeXT voice mail: jasmerb@hobbes.cs.orst.edu Corvallis, OR 97331 | (my machine is finally here :-) ------------------------------------------------------------------------------