dct@mdaali.cancer.utexas.edu (David C. Tuttle) (03/26/91)
I administer a Sun 3/110 running 4.0.3 (still... :-) and have a small mystery on my hands. I think it's got a simple answer - I just don't know what it is. Today, I found that I could not "su" to root from my no-special-privileges account (i.e., an account not in the "wheel" group). My administrator account (in the "wheel" group) was not affected. Now, I wonder what I (or someone else?) have done to cause this. And more generally, what does one do to implement/deimplement this level of security (we have an Alliant that has never allowed what the Sun allowed routinely... until now). The part of TFM where I expected to find the answer says nothing useful. I'd appreciate an e-mail from someone who knows what controls this. Thanks! -- David C. Tuttle dct@mdaali.cancer.utexas.edu Software Systems Specialist Department of Biomathematics University of Texas M.D. Anderson Cancer Center Houston, Texas
navarra@casbah.acns.nwu.edu (The MaD ScIeNTiSt) (03/26/91)
In article <4880@lib.tmc.edu> dct@mdaali.cancer.utexas.edu (David C. Tuttle) writes: >I administer a Sun 3/110 running 4.0.3 (still... :-) and have a small >mystery on my hands. I think it's got a simple answer - I just don't know >what it is. > >Today, I found that I could not "su" to root from my no-special-privileges >account (i.e., an account not in the "wheel" group). My administrator >account (in the "wheel" group) was not affected. Now, I wonder what I (or >someone else?) have done to cause this. And more generally, what does one >do to implement/deimplement this level of security (we have an Alliant >that has never allowed what the Sun allowed routinely... until now). > >The part of TFM where I expected to find the answer says nothing useful. >I'd appreciate an e-mail from someone who knows what controls this. >Thanks! Under versions of 4.2BSD or later, only users in the wheel group listed in /etc/groups are allowed to su to root. -- check out su2 though -- that might work from you other account. > >-- >David C. Tuttle dct@mdaali.cancer.utexas.edu >Software Systems Specialist Department of Biomathematics >University of Texas M.D. Anderson Cancer Center Houston, Texas -- From the Lab of the MAd ScIenTisT.... navarra@casbah.acns.nwu.edu
bush@ecs.ox.ac.uk (Mark Bush) (03/27/91)
In article <1991Mar26.013137.22927@casbah.acns.nwu.edu> navarra@casbah.acns.nwu.edu (The MaD ScIeNTiSt) writes: >In article <4880@lib.tmc.edu> dct@mdaali.cancer.utexas.edu (David C. Tuttle) writes: >>I administer a Sun 3/110 running 4.0.3 (still... :-) and have a small >>mystery on my hands. I think it's got a simple answer - I just don't know >>what it is. >> >>Today, I found that I could not "su" to root from my no-special-privileges >>account (i.e., an account not in the "wheel" group). My administrator >>account (in the "wheel" group) was not affected. Now, I wonder what I (or >>someone else?) have done to cause this. And more generally, what does one > > Under versions of 4.2BSD or later, only users in the wheel group > listed in /etc/groups are allowed to su to root. -- > > check out su2 though -- that might work from you other account. But he's running SunOS! Although SunOS4.0.3 is based on 4.3BSD, the functionality is not the same. On our system, there are no non-root accounts in group wheel, yet for SunOS3.5, SunOS4.0.3, SunOS4.1 and SunOS4.1.1 I can su to root from my own account. What results do you get when you su from your no-privilege account? I found that I got root's environment when I su'ed to my admin account (home directory /, shell /bin/csh) --- ie. my shell was csh and my prompt had a `#' in it. When I su'ed to `root' on a 4.0.3 machine, I kept my own environment (including my shell - bash!) so it *appears* as if the su failed, but `id' showed that I was, indeed, root and I did have root privileges --- ie. I had my normal-user shell (bash) and home directory (not /) On a SunOS4.1 or SunOS4.1.1 machine, su'ing to root gives me root's environment --- ie. home directory /, shell csh. So, when you su, try `id' to see if you really have failed to su. Mark
navarra@casbah.acns.nwu.edu (The MaD ScIeNTiSt) (03/28/91)
In article <1991Mar26.013137.22927@casbah.acns.nwu.edu> navarra@casbah.acns.nwu.edu (The MaD ScIeNTiSt) writes: >In article <4880@lib.tmc.edu> dct@mdaali.cancer.utexas.edu (David C. Tuttle) writes: >> >>Today, I found that I could not "su" to root from my no-special-privileges >>account (i.e., an account not in the "wheel" group). My administrator >>account (in the "wheel" group) was not affected. Now, I wonder what I (or >>someone else?) have done to cause this. And more generally, what does one > > Under versions of 4.2BSD or later, only users in the wheel group > listed in /etc/groups are allowed to su to root. -- > > check out su2 though -- that might work from you other account. -But he's running SunOS! Although SunOS4.0.3 is based on 4.3BSD, the -functionality is not the same. On our system, there are no non-root -accounts in group wheel, yet for SunOS3.5, SunOS4.0.3, SunOS4.1 and -SunOS4.1.1 I can su to root from my own account. SU(1V) USER COMMANDS SU(1V) NAME su - super-user, temporarily switch to a new user ID SYNOPSIS su [ - ] [ -f ] [ username [ arg... ] ] SYSTEM V SYNOPSIS su [ - ] [ username [ arg... ] ] If no username is specified, root is assumed. If the wheel group (group 0) does not contain a null user list and has members, only they can su to root, even with the root pass- word. To remind the super-user of his responsibilities, the shell substitutes `#' for '$' or '%' in its usual prompt Sun Release 4.1 Last change: 21 September 1989 2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ I run SunOS 4.1 too. -What results do you get when you su from your no-privilege account? this is what I get! $ su You do not have permission to su root my name is not listed in /etc/group under wheel. -On a SunOS4.1 or SunOS4.1.1 machine, su'ing to root gives me root's -environment --- ie. home directory /, shell csh. - -So, when you su, try `id' to see if you really have failed to su. -Mark I don't understand how you get a root shell. ON my machine I do not have permission to do this -- so I can't type id to see if it worked! But as I said before -- I believe you can list your name in /usr/local/lib/super-users and issue the su2 command to su to root with your non-wheel account and get root privs. Unfortunately my name is not in there -- check it out. -- From the Lab of the MAd ScIenTisT.... navarra@casbah.acns.nwu.edu