#5537 HIGH Update.: Use sudo, not su, to get root.
Zarro Boogs per Child
bugtracker at laptop.org
Sun Dec 23 21:23:56 EST 2007
#5537: Use sudo, not su, to get root.
---------------------+------------------------------------------------------
Reporter: cscott | Owner: cscott
Type: defect | Status: new
Priority: high | Milestone: Update.1
Component: distro | Version:
Resolution: | Keywords:
Verified: 0 | Blocking:
Blockedby: |
---------------------+------------------------------------------------------
Comment(by AlbertCahalan):
Replying to [comment:24 cscott]:
> The patch does not yet fix the security problem: because olpc has no
password, any activity can su to olpc, and then sudo to root. Albert, is
there a way to configure su to allow olpc/wheel to su to root while
disallowing su to olpc?
Yes. The pam_listfile stuff should work, but I found
the pam_succeed_if module easier to use. That second
line below makes user-to-user su require group wheel.
{{{
#%PAM-1.0
auth sufficient pam_rootok.so
auth required pam_succeed_if.so debug use_uid user
ingroup wheel
#auth required pam_listfile.so onerr=fail item=user
sense=allow file=/etc/security/su.allow
#auth required pam_listfile.so onerr=fail item=user
sense=deny file=/etc/security/su.deny
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
}}}
ffm's idea is also pretty good.
Either way, there are about 17 setuid binaries that probably ought to be
restricted.
--
Ticket URL: <http://dev.laptop.org/ticket/5537#comment:27>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system
More information about the Bugs
mailing list