another 'su encancer'
Kim Christian Madsen
kimcm at diku.dk
Sun May 5 02:55:08 AEST 1991
tchrist at convex.COM (Tom Christiansen) writes:
>I think you guys are missing the point. Any command that grants
>unrestricted privilege to even one user without confronting them
>with a password is a security hole. All I have to do is be that
>user, through Trojan horses, people absent from their offices,
>TIOCSTI usurpation, etc.
Honestly I think that *you guys* are too touchy (-; It is alright to
warn us that if you install a su(1) replacement that doesn't need a
password to become another user - the integrity of the su'ed account
is lowered to the level of security of the account which is allowed to
use this password free su replacement!
But at some installations, there are no outside links (neither
network's or phone-links) and two or three people sharing the
system-administration, and no real secrets from other users (just that
the sysadm's doesn't want them to harm the system by mistake) and the
sysadm's themeselves don't want to become root more often than
required in order to minimalize their own mistakes. In such places the
installation of a password-free su replacement is often a lesser evil,
than having lazy sysadm's run to much in root-mode.
Other scenario where a su replacement is almost harmless, is when you
as the primary sysadm want's to have the priviledge of changing the
passwords of system accounts without having to consult the secondary
sysadm's. And if you can trust these fellow sysadm's to be just as
strict with the security of their accounts as with the root account.
Where does all this lead? Yes I am in favor of password free su
replacements (I use one myself), since it adds to the level of
internal security (me becoming root less time than with ordinary su,
due to the ease and the command line options of the program), and the
added awareness of my own account's integrity is a lesser evil!
Regards
Kim Chr. Madsen
More information about the Alt.sources.d
mailing list