oss-sec mailing list archives
Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package
From: Solar Designer <solar () openwall com>
Date: Mon, 25 Jul 2016 15:13:51 +0300
Replying out of context (not related to the specific getlogin() issue): On Mon, Jul 25, 2016 at 10:39:30AM +0200, Sebastian Krahmer wrote:
Err, sorry. Shared UID, different name
As a special case, this is common practice for UID 0 (root) accounts of multiple sysadmins, providing poor man's accountability (due to the different account names getting in all the usual logs, without having to check which specific SSH key, etc. was used for a given login session). We even have a tool to support it for single-user mode logins as well: http://www.openwall.com/msulogin/ The far more common alternative to it is to use su or sudo from the multiple sysadmins' non-root accounts. A problem with it is that if use of those non-root accounts is not restricted solely to su/sudo from them, but they are also used to run other programs as non-root, then any of those other programs may take over the root account (possibly in multiple steps, such as by substituting shell aliases and waiting for the sysadmin to run su/sudo next time). To avoid this, we'd arrive at the need to have two non-root accounts per sysadmin (and to have su/sudo available to only one set of those accounts, so as not to expose those programs' vulnerabilities to the other set of accounts, nor to regular users of the system, unnecessarily), - or to have per-sysadmin root accounts. The latter is simpler. Alexander
Current thread:
- subuid security patches for shadow package Sebastian Krahmer (Jul 19)
- Re: subuid security patches for shadow package Sebastian Krahmer (Jul 19)
- Re: subuid security patches for shadow package Eric W. Biederman (Jul 19)
- Re: [Pkg-shadow-devel] subuid security patches for shadow package Nicolas François (Jul 20)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Salvatore Bonaccorso (Jul 22)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Sebastian Krahmer (Jul 25)
- Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Solar Designer (Jul 25)
- Re: subuid security patches for shadow package Eric W. Biederman (Jul 19)
- Re: subuid security patches for shadow package Sebastian Krahmer (Jul 19)