Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!rutgers!brl-adm!adm!rgenter@j.bbn.COM
From: rgenter@j.bbn.COM
Newsgroups: comp.unix.wizards
Subject: Re: su Security
Message-ID: <4263@brl-adm.ARPA>
Date: Wed, 4-Feb-87 22:29:11 EST
Article-I.D.: brl-adm.4263
Posted: Wed Feb  4 22:29:11 1987
Date-Received: Sat, 7-Feb-87 09:13:50 EST
Sender: news@brl-adm.ARPA
Lines: 14

A program to check a table of users to see if they are authorized to
execute 'su' is of limited utility, if any.  If a user has the root
password and they are excluded from running 'su', there is nothing to
prevent them from just running 'login' and logging in as the superuser.
If you are going to modify 'su', you might as well modify 'login' as
well, perhaps to ask a second password or to check from which terminal
the login is being attempted (except that I believe System V already
does this through the use of /etc/securetty?).
					- Rick
--------
Rick Genter 				BBN Laboratories Inc.
(617) 497-3848				10 Moulton St.  6/512
rgenter@bbn.COM  (Internet new)		Cambridge, MA   02238
rgenter@bbnj.ARPA (Internet old)	seismo!bbn.com!rgenter (UUCP)