nick@kralizec.fido.oz.au (Nick Andrew) (04/30/91)
tchrist@convex.COM (Tom Christiansen) writes: >And this is a feature??? If there are users who can become root >without a password, then it's MUCH easier to subvert the system. My feed site used an elegant scheme for distributing root access among several authorised people. Called 'sus', it worked this way: 'sus -a' to Authorise yourself for root privileges. 'sus -a' would ask for your 'sus password', which was stored encrypted in sus's password file. Only people in the 'sus' group can use the sus command. 'sus command' After doing a 'sus -a', this executed 'command' with root privileges. No password is required. And the command can be 'csh' if a root shell is required. And the command can be executed multiple times. 'sus -p' To change your sus password. 'sus -d' To De-Authorise yourself for root privileges. After doing 'sus -d', no root commands can be done until doing another 'sus -a' (and specifying your sus password again) So you see this solution satisfies all criteria: - It isn't a security hole. Only specified users can run sus. - Before root permissions can be gained, a password is required. - It is convenient to use, as the password need be entered only once per login session. - Only the head System Administrator knows the root password. - Everybody else has their own 'sus' password which is secure. - Sus does its own logging. It can be modified to do secure logging when a network is in use by opening a connection to a sus logger on a remote machine. The remote machine should not allow root access from the local machine, and none of the sus users should have root access on the remote machine. Therefore, sus's actions can be logged securely. Nick. -- Kralizec Public Access Unix: USENET & Internet mail + huge software archives. Sysop Fidonet 3:713/602 Data: +61-2-627-4177, v22bis, 24 hours <nick@kralizec.fido.oz.au> Zeta Microcomputer Software <nick@socs.uts.edu.au> P.O. Box 177, Riverstone NSW 2765