*BSD News Article 4318


Return to BSD News archive

Newsgroups: comp.unix.bsd
Path: sserve!manuel!munnari.oz.au!uunet!haven.umd.edu!darwin.sura.net!jvnc.net!yale.edu!ira.uka.de!math.fu-berlin.de!unidui!du9ds3!veit
From: veit@du9ds3.uni-duisburg.de (Holger Veit)
Subject: Re: su behavior
References: <1992Aug31.155112.18068@engage.pko.dec.com>
Date: 31 Aug 92 17:04:41 GMT
Reply-To: veit@du9ds3.uni-duisburg.de
Organization: Uni-Duisburg FB9 Datenverarbeitung
Sender: @unidui.uni-duisburg.de
Message-ID: <veit.715280681@du9ds3>
Lines: 36

In <1992Aug31.155112.18068@engage.pko.dec.com> eje@irenaeus.mlo.dec.com (Eric James Ewanco) writes:


>I noticed something unusual, at least to me, about su behavior on 386bsd.

>I've used Ultrix in the past, Suns too, and they allow you to su on any
>terminal. But 386bsd insists that the only ones who can su are those who are in
>the group "wheel".  This is pretty stupid, though, because when I put my user
>in group wheel, I automatically had root privileges!! This totally defeats the
>purpose of su!  If you are allowed to su, then you don't need to because you
>already have root access!!!

>Is this standard behavior for su?  What is the reasoning behind this?

Not exactly. It says, that the users that *may change to the group wheel*
may run 'su'. I.e. if you add a user name (of any group) in /etc/group after 
the last colon in the group wheel, then this user may do 'su'. But even if 
you belong to the wheel group, with GID 0, you shouldn't be running with 
UID 0, and normally, you do not have the root right with this automatically
(unless there is a hidden bug). 

The reason with this mechanism is that not any hacker who "read your 
fingers" when you were entering the password to become su, may repeat it.
This goes along with disabling the 'secure' keyword in /etc/ttytab for all
connections except console, and locking the console for unpriviledged 
users.

>Eric

Holger

-- 
|  |   / Holger Veit             | INTERNET: veit@du9ds3.uni-duisburg.de
|__|  /  University of Duisburg  | BITNET: veit%du9ds3.uni-duisburg.de@UNIDO
|  | /   Dept. of Electr. Eng.   | "No, my programs are not BUGGY, these are
|  |/    Inst. f. Dataprocessing |          just unexpected FEATURES"