You are not logged in.
- Topics: Active | Unanswered
#1 2009-03-12 03:13:56
- Gen2ly
- Member
- From: Sevierville, TN
- Registered: 2009-03-06
- Posts: 1,529
- Website
[SOLVED] Able to su to root with being in wheel group!
Hello.
I just found a potential-problem that might need a security-advisory.
I just installed Arch linux and orginially I added myself to the wheel group. Yesterday, I removed myself from the wheel group, started the laptop today and su'd toroot and was let in.
grep wheel /etc/group
wheel::10:root
id todd
uid=1001(todd) gid=100(users) groups=100(users),50(games),92(audio),93(optical),95(storage)
tail /var/log/auth.log
...
Mar 11 20:01:26 part-emach su: pam_unix(su:session): session opened for user root by (uid=1001)Is there something I don't know? This doesn't look good.
Last edited by Gen2ly (2009-03-12 17:21:47)
Setting Up a Scripting Environment | Proud donor to wikipedia - link
Offline
#2 2009-03-12 04:08:14
- fflarex
- Member
- Registered: 2007-09-15
- Posts: 466
Re: [SOLVED] Able to su to root with being in wheel group!
This is really the wrong forum, but anyways... I'm no expert, but I'm pretty sure the wheel group only affects sudo, not su. When you say you were "let in" does that mean you were not prompted for a password or just that it worked at all? I thought that su always worked as any user if you had the correct password. The reason (partially) for having sudo is so that you may get additional priveleges without the need to know the root password.
Offline
#3 2009-03-12 04:37:18
- Gen2ly
- Member
- From: Sevierville, TN
- Registered: 2009-03-06
- Posts: 1,529
- Website
Re: [SOLVED] Able to su to root with being in wheel group!
Thanks for the quick response fflarex. Yes, I did have to enter a password. For *nix typically the wheel group allows user-permission to to 'su' to root user. Adding permissions to use 'sudo' are in /etc/visudo. Some distros change these though but as arch tends to work upstream. This is either a bad bug or is different from my previous distro.
Last edited by Gen2ly (2009-03-12 04:39:21)
Setting Up a Scripting Environment | Proud donor to wikipedia - link
Offline
#4 2009-03-12 05:08:55
- Allan
- Pacman
- From: Brisbane, AU
- Registered: 2007-06-09
- Posts: 11,651
- Website
Re: [SOLVED] Able to su to root with being in wheel group!
GNU su never supported the wheel group AFAIK. The BSD one does... You don't have to use wheel group to configure sudo, but it is helpful on multi user systems.
Offline
#5 2009-03-12 05:20:55
- Chrysalis
- Member
- Registered: 2008-07-07
- Posts: 155
Re: [SOLVED] Able to su to root with being in wheel group!
su = switch user (part of coreutils) = same as logout and back in (has nothing to do with visudo/sudoers or the wheel group), disabling the root account like Ubuntu does is what you are looking for i think.
sudo = permission to execute command as another user (configured in sudoers and irrelevant to su).
Last edited by Chrysalis (2009-03-12 05:23:07)
Offline
#6 2009-03-12 06:07:11
- Heller_Barde
- Member
- Registered: 2008-04-01
- Posts: 245
Re: [SOLVED] Able to su to root with being in wheel group!
su = switch user (part of coreutils) = same as logout and back in
<smartass mode>su = substitute user (identity)</smartass mode> 
and it's kinda more like logging in as root, cause if you quit your su session, you're back to your former shell 
cheers
Phil 
Offline
#7 2009-03-12 10:44:41
- RedShift
- Member
- From: Belgium
- Registered: 2004-07-16
- Posts: 230
Re: [SOLVED] Able to su to root with being in wheel group!
You need to configure PAM for this.
:?
Offline
#8 2009-03-12 11:09:20
- Ranguvar
- Member
- Registered: 2008-08-12
- Posts: 2,577
Re: [SOLVED] Able to su to root with being in wheel group!
There isn't much of a problem with su not needing wheel, since it requires you to type in the root password, which if you had you could very likely just do a normal login with it. sudo requires the wheel group because it lets you act as root without typing in root's password.
Offline
#9 2009-03-12 17:20:53
- Gen2ly
- Member
- From: Sevierville, TN
- Registered: 2009-03-06
- Posts: 1,529
- Website
Re: [SOLVED] Able to su to root with being in wheel group!
I've heard before that gnu su doesn't allow wheel anymore because I know they've taken a spartan response to it. And Ranguvar, true. Normally access to su it no big deal because a person would need local access to be able to get get into .root. I've found out hackers though that are able to inject-commands with knowledge of the root password. RedShift you hit the nail on the head - PAM has options that allow wheel permissions to get access. From /etc/pam.d/su:
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uiGot it done guys. Thanks for helping me figure this out.
Setting Up a Scripting Environment | Proud donor to wikipedia - link
Offline
#10 2009-03-18 12:22:47
- Agent69
- Member
- Registered: 2006-05-26
- Posts: 193
Re: [SOLVED] Able to su to root with being in wheel group!
I've heard before that gnu su doesn't allow wheel anymore because I know they've taken a spartan response to it.
Actually, it comes from Richard Stallman's feelings on this, as per the Core Utilities manual:
23.5.1 Why GNU su does not support the 'wheel' group
(This section is by Richard Stallman.)
Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)
However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he or she can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.
I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.
Personally, I prefer the BSD way of doing things, but it is not a really big deal to me.
Offline
#11 2009-03-18 15:57:43
- broch
- Banned
- From: L.A. California
- Registered: 2006-11-13
- Posts: 975
Re: [SOLVED] Able to su to root with being in wheel group!
from security stand point su to root should not require root password.
recent opensuse had this problem (with echo showing password used). Not sure though if this was fixed as opensuse devs insisted that this (revealing root password) is "normal" and harmless.
Offline