sudo, not su.
acahalan at gmail.com
Fri Dec 21 20:15:09 EST 2007
On Dec 21, 2007 1:27 PM, C. Scott Ananian <cscott at laptop.org> wrote:
> I think people misunderstand the core problem: if root does not have a
> password, then *any activity on the system* can gain root privileges
> by su'ing to root.
This is not a given. Much has to be in place for
this to happen. Off the top of my head...
1. the "su" binary must be in the namespace
2. the "su" binary must not be overmounted
3. the "su" binary must be on a suid filesystem
4. the "su" binary must be setuid root
5. the "su" binary permission must allow execution
6. /etc/pam.d/su must not have pam_wheel.so set up
7. no SE Linux restrictions block required transitions
Pay attention to number 7. Look here:
-bash-3.2# cat /etc/pam.d/su
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
So it looks like you just uncomment line 6 in that file,
add user "olpc" to the "wheel" group, and verify that
nothing is copying supplementary groups to activities.
(hey, I saved one byte!)
More information about the Devel