Mike Oliver wrote: >>Change the group ownership on su to root:wheel . >>Next, remove execute permission from "other" on su. > I have to say I find this option kind of puzzling. > What's the rationale exactly? Why couldn't an > opponent who knew the root pword just execute > his *own* copy of su? It seems it would have nuisance > value at best. Not that nuisance value couldn't be of > some practical use, provided the security admin doesn't > think it's a substitute for safeguarding passwords.
The rationale is you only allow a certain set of users to have execute permission for su. This gives another layer of security, as only members of the "wheel" group would be able to even attempt to run su. The "wheel" group would be made up of SA's who would understand proper security procedures with both thier own password and system or network passwords. So breaking into one of their accounts should be harder than a typical user. One cannot have his "own" copy of su. su is completly worthless without the +s bit set. Only root can set that bit. So "your own copy" of su would do nothing even if you knew the root password. At most you'd be able to su to yourself. Give it a try on any unix system... > Or maybe it's to prevent *inadvertant* rather than malicious > damage? Something like: People in our group might find > out the root pword and be tempted to su to quick-fix some > difficulty they're having, then they might break something > and we wouldn't know who was responsible, so we'll just > remove the temptation? I guess that makes a certain amount > of sense, but it's not terribly flattering to your coworkers. If any user can "find out" the root password then there is already some serious problems going on with security procedures and policy. -- Bryan Whitehead SysAdmin - JPL - Interferometry Systems and Technology Phone: 818 354 2903 [EMAIL PROTECTED]
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
