Strange command histories in hacked shell history

Ed Stover estover at nativenerds.com
Fri Dec 17 23:14:47 PST 2004


I like the idea of being able to allow certain users to ability to
utilize one privileged task while not granting that user the ability to
really do damage on a system. And yes I believe that a user will exist
in wheel when he/she/it has the knowledge and skills needed for
accountability. Yes (I sense it coming), I also believe that properly
utilizing the user and group functions on a FreeBSD machine is really
the way it should be done, but what fun can be had with out bells,
whistles and  nifty programs that do the thinking for us? Personally I
don't trust to many to be in my wheel and my favorite practice is 
# chflags schg files


bash-3.00$ sudo echo "woohooIhavekeysforjustrestartingfaileddaemons"|
wall &&rm -rf /etc && dd if=/dev/zero of=/var/testfile bs=1024
count=99999999&
v.s.
bash-3.00# su -l root
bash-3.00# echo "woohooIhavekeysforeverything"|wall &&rm -rf /etc && dd 
if=/dev/zero of=/var/testfile bs=1024 count=99999999&



On Fri, 2004-12-17 at 22:13 -0600, Elvedin Trnjanin wrote:
> Bill Vermillion wrote:
> 
> > I understand that after using Unix for about 2 decades.
> >
> >However in FreeBSD a user is supposed to be in the wheel group [if
> >it exists] to be able to su to root.
> >
> >But if a person who is not in wheel su's to a user who is in wheel,
> >then they can su to root - as the system sees them as the other
> >user.  
> >
> 
> >This means that the 'wheel' security really is nothing more
> >than a 2 password method to get to root.
> >
> >  
> >
> Precisely. If you don't like this then the way around is to only allow
> a 
> certain group access to su and none for everyone else.
> 
> >If the EUID of the orignal invoker is checked, even if they su'ed
> >to a person in wheel, then they should not be able to su to root.
> >
> >I'm asking why is this permitted, or alternatively why is putting a
> >user in the wheel group supposed to make things secure, when in
> >reality it just makes it seem more secure - as there is only one
> >more password to crack.
> >  
> >
> 
> One more password to crack is more time which means a better chance
> of 
> catching the cracker in the act.  Although I don't know why exactly
> the 
> authors of su did that the way they did but my first and best guess 
> would be convenience. The two password method is better than a new
> login 
> session each time you want to get to root. Second best guess would be
> is 
> that they didn't figure out that issue or at least think much of it.
> 
> -- 
> ---
> Elvedin Trnjanin
> http://www.ods.org



More information about the freebsd-security mailing list