tchrist@convex.COM (Tom Christiansen) (04/26/91)
From the keyboard of muts@fysak.fys.ruu.nl (Peter Mutsaers): :Now that we are discussing a su encancer etc., here is a 'root' program that :I've been using the last 1.5 year. :The syntax is 'root command [args]' and runs one command with su privilege. :It is quite safe, and checks if the uid is right. (only works for one user). I think you guys are missing the point. Any command that grants unrestricted privilege to even one user without confronting them with a password is a security hole. All I have to do is be that user, through Trojan horses, people absent from their offices, TIOCSTI usurpation, etc. --tom
nazgul@alphalpha.com (Kee Hinckley) (04/27/91)
In article <1991Apr26.142736.21272@convex.com> tchrist@convex.COM (Tom Christiansen) writes: >I think you guys are missing the point. Any command that grants >unrestricted privilege to even one user without confronting them >with a password is a security hole. All I have to do is be that >user, through Trojan horses, people absent from their offices, >TIOCSTI usurpation, etc. What kind of places do you guys work anyway? Does paranoia really reign supreme? The last place I worked had around 2000 workstations all on the same remote file system (none of this NFS mount nonsense) and I'd say that 1 out of every 10 people (at the least) had a command lying around so they could become root as necessary. Boom, instant access to over a terabyte of data. Sure it was possible to disable remote root access - but hardly anyone did. Besides which, most everything was at least _readable_ by everybody. Unauthorized root privileges aren't a security problem, they're a social problem. -- Alfalfa Software, Inc. | Poste: The EMail for Unix nazgul@alfalfa.com | Send Anything... Anywhere 617/646-7703 (voice/fax) | info@alfalfa.com I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's.
kimcm@diku.dk (Kim Christian Madsen) (05/04/91)
tchrist@convex.COM (Tom Christiansen) writes: >I think you guys are missing the point. Any command that grants >unrestricted privilege to even one user without confronting them >with a password is a security hole. All I have to do is be that >user, through Trojan horses, people absent from their offices, >TIOCSTI usurpation, etc. Honestly I think that *you guys* are too touchy (-; It is alright to warn us that if you install a su(1) replacement that doesn't need a password to become another user - the integrity of the su'ed account is lowered to the level of security of the account which is allowed to use this password free su replacement! But at some installations, there are no outside links (neither network's or phone-links) and two or three people sharing the system-administration, and no real secrets from other users (just that the sysadm's doesn't want them to harm the system by mistake) and the sysadm's themeselves don't want to become root more often than required in order to minimalize their own mistakes. In such places the installation of a password-free su replacement is often a lesser evil, than having lazy sysadm's run to much in root-mode. Other scenario where a su replacement is almost harmless, is when you as the primary sysadm want's to have the priviledge of changing the passwords of system accounts without having to consult the secondary sysadm's. And if you can trust these fellow sysadm's to be just as strict with the security of their accounts as with the root account. Where does all this lead? Yes I am in favor of password free su replacements (I use one myself), since it adds to the level of internal security (me becoming root less time than with ordinary su, due to the ease and the command line options of the program), and the added awareness of my own account's integrity is a lesser evil! Regards Kim Chr. Madsen
cks@hawkwind.utcs.toronto.edu (Chris Siebenmann) (05/07/91)
kimcm@diku.dk (Kim Christian Madsen) writes: | [...] In such places the installation of a password-free su replacement | is often a lesser evil, than having lazy sysadm's run to much in | root-mode. Perhaps a better solution is to stop having lazy sysadms? Personally, I am quite aware of how much damage I can do as root by accident, and try to spend as little time as root as I can; I think scared and cautious sysadms are highly worth cultivating. -- "This is what separates us system programmers from the application programmers: we can ruin an entire machine and then recover it, they can only ruin their own files and then get someone else to restore them" - Geoff Collyer cks@hawkwind.utcs.toronto.edu ...!{utgpu,utzoo,watmath}!utgpu!cks