[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: su - user question

On Sun, 2002-01-20 at 12:33, martin f krafft wrote:

I'm glad you were able to get that follow up response out of your system
Martin :-) So let's continue to address this technical question that I
haven't found much discussion about before on the web.

If the use of switch user has remote security implications I want to be
able to understand them. The same as I want to be able to understand if
leaving a root console open has remote security implications. Don't
worry about local physical access. I want everyone to assume this is
impossible. You have to assume this is impossible to not get

> > The question I have is if I "su - username" and then browse the web,
> > etc. is it impossible for a remote user who managed to gain access to
> > that user session to become root by exiting out of the user account?
> > 
> > I'm almost certain the answer should be no. But I'd just like
> > confirmation.
> no. he'd have to steal your actual tty session, and if all you are doing
> is surfing the web, then he can't really do that. however, which browser
> are you using? are you running X? why not use tty2-tty6 for a separate
> user login?

Please don't worry about what else I could do. That's all sensible
(unnecessary) advice. I want to understand this from a theoretical
viewpoint. It gives me a "very weird feeling in my intestines" as well
using su - to switch to a user account and I want to understand why.

Can anyone provide a plausible scenario for how someone might be able to
gain root level access because su - has been used to switch to a user
account. Martin has already answered that your tty session would have to
be stolen. How can you steal a tty session using only remote means?

You have any vulnerability at your disposal that would only give user
level access but in this case would allow root access. You have every
program at your disposal that has a security vulnerability that would
have only granted user level access (because if the vulnerability
already grants root level access it's irrelevant).


Reply to: