Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!masscomp!ulowell!arosen
From: arosen@ulowell.UUCP
Newsgroups: comp.unix.wizards
Subject: Re: su Security
Message-ID: <1067@ulowell.cs.ulowell.edu>
Date: Wed, 18-Feb-87 17:58:51 EST
Article-I.D.: ulowell.1067
Posted: Wed Feb 18 17:58:51 1987
Date-Received: Thu, 19-Feb-87 21:45:18 EST
References: <4263@brl-adm.ARPA> <200@olamb.UUCP>
Reply-To: arosen@ulowell.cs.ulowell.edu (Andy Rosen)
Organization: University of Lowell
Lines: 19

>[1] If a user has the root password he can do what he want's to...
>    There's nothing that prevents modifying the su program to
>    check the tty from where the su is attempted to see whether it is a
>    securetty...

An unauthorized user with the root password can do nothing if:
 1:  Root logins are restricted to the console.  (This, of course, assumes
     the console is physically protected from unauthorized users).

 2:  SU has been modified to allow only certain users to 'su root'.

The user needs the root password and a way to get a root shell.  If these
two restrictions are put on a system, it won't let him in anywhere even
with the password.

UUCP  : wanginst!ulowell!arosen
USnail: Andy Rosen
	ULowell, Box #3031
	Lowell, Ma 01854