Strange command histories in hacked shell history

[Bill Vermillion]

While normally not able to pour water out of a boot with
instructions on the heel, on Mon, Dec 20, 2004 at 10:56  
our dear friend Gerhard Schmidt uttered this load of codswallop:

> On Fri, Dec 17, 2004 at 09:53:15AM -0500, Bill Vermillion wrote:

[much deleted - wjv]


> > Can anyone explain why  su   does not use the UID from the login
> > instead of the EUID ?  It strikes me as a security hole, but I'm no
> > security expert so explanations either way would be welcomed.

> I'm not a security expert, but if someone has the
> Username/Password for an Account that can su to root. Where is
> the point of disallowing him to su to this user and than to su.
> You can?t prevent him form directly logging in as this User
> an than use su. Therefore there is no gain in security just a
> drawback in usefulness. I use this often to get a rootshell on
> an Xsession from an user who can't su to root.

You can limit the access for the person who has wheel/su
privledges by running sshd and then permitting connections only
from certain IPs or IP blocks. So another person is severely
restricited from logging in as this user even if they have cracker
that persons password. But once the craccker is in the system they
can attempt breaking the password on a local basis, and the attack
the root system.

I think the comment one other person made about limiting the su
stack to 1, so that you can not su to an account and then su to
another account is a good approach.

Considering the HUGE abount of attempted SSH logins I see on my
servers from all over the world, with most coming from Korea,
China, and lately Brazil, to add to those from Germany and Russia
[just some I recall from the whois queries] andthing we can do
to improve the security is a step forward.

In server environments security far outweighs all other
considerations IMO.  

Bill



-- 
Bill Vermillion - bv @ wjv . com