Re: Where is old "info su" which had RMS comment ??

To: Joseph Carter <knghtbrd@bluecherry.net>
Cc: debian-devel <debian-devel@lists.debian.org>
Subject: Re: Where is old "info su" which had RMS comment ??
From: Russell Coker <russell@coker.com.au>
Date: Tue, 24 Sep 2002 21:55:56 +0200
Message-id: <[🔎] 200209242155.56542.russell@coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020924190931.GC18395@bluecherry.net>
References: <[🔎] 20020924044954.GA3033@aokiconsulting.com> <[🔎] 20020924180648.GI28289@phunnypharm.org> <[🔎] 20020924190931.GC18395@bluecherry.net>

On Tue, 24 Sep 2002 21:09, Joseph Carter wrote:
> And there lies the center of my annoyance: We don't have a wheel group or
> anything like it today because of a bad call which seemed good at the
> time, more than a decade ago.  Whether or not it would enhance security at
> all is not even in question.  Only the historical tradition that it has
> not been there for so long seems to argue against it.  Might not matter so
> much on my single-user system behind a firewall, but it sure matters on
> the ISP shell server with hundreds of users..

For an ISP shell server a wheel group is inadequate.  You want better security 
than that.  What about all the SUID applications that might be the subject of 
the next exploit?

For serious security on a public shell server you want SE Linux or something 
similar.

The standard practice for SE Linux is to control access to changing "roles" 
(the SE Linux equivalent to UID) based on the "identity" (the user-name you 
login as).  So you can "su" to another account and your identity will not 
change.

With a wheel group you can su to an account that has the wheel group and su to 
root from there.  With SE Linux if your identity is not permitted to take the 
sysadm_r role then no matter how many times you change role or UID in the 
session you will still be unable to enter sysadm_r!

It would not be THAT difficult to write a PAM module for SE Linux that uses SE 
credentials to determine whether su operations are permitted.  For example 
you could allow "su root" only to users in a particular role.  I'm not sure 
whether this is necessary, the regular SE Linux controls in combination with 
the regular Unix controls will probably be enough, but you could always 
integrate them more.

The fact that su changes the identity completely instead of recording the fact 
that one user is acting in the context of another user for future security 
decisions is a deficiency in the standard unix model.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to:

Follow-Ups:
- Re: Where is old "info su" which had RMS comment ??
  - From: Torsten Landschoff <torsten@debian.org>

References:
- Where is old "info su" which had RMS comment ??
  - From: Osamu Aoki <debian@aokiconsulting.com>
- Re: Where is old "info su" which had RMS comment ??
  - From: Ben Collins <bcollins@debian.org>
- Re: Where is old "info su" which had RMS comment ??
  - From: Joseph Carter <knghtbrd@bluecherry.net>

Prev by Date: Re: the netbase/inetd conspiracy
Next by Date: Re: Bug#162211: chown: 'man': invalid user -- man-db should create man user if it's missing.
Previous by thread: Re: Where is old "info su" which had RMS comment ??
Next by thread: Re: Where is old "info su" which had RMS comment ??
Index(es):
- Date
- Thread