Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!uw-beaver!tektronix!tekcrl!eirik From: eirik@tekcrl.TEK.COM (Eirik Fuller) Newsgroups: comp.unix.wizards Subject: Re: Reasons for restricting su privilege? Message-ID: <3185@tekcrl.CRL.TEK.COM> Date: 20 Oct 88 18:40:42 GMT References: <6606@pyr.gatech.EDU> <25003@tut.cis.ohio-state.edu> Sender: ftp@tekcrl.CRL.TEK.COM Organization: Tektronix, Inc., Beaverton, OR. Lines: 32 In article <25003@tut.cis.ohio-state.edu> karl@dinosaur.cis.ohio-state.edu (Karl Kleinpaste) writes: ) Personally, I advocate a menu-driven setuid-root program which allows ) for exactly the set of things which a not-normally-administrator ) person might possibly have to do in order to stay alive while a real ) admin is unavailable. Restrict it heavily and never give an editor ) escape for any reason. ) ... Yeah, sure, but what if this spiffy menu contraption allows its luser to make new accounts? "Gee, maybe I'll make an account with uid 0, and put /bin/csh as its shell, and leave the password off until someone comes along and puts one in, and see what happens ..." I'm thinking in particular of UTek's sysadmin as one example of a menustrosity that one could grant access to for fake superusers. It may not be what you had in mind, but my general point, if there is one, is that your menu thing is likely to be either too limited to be useful or general enough that someone who knows Unix will have himself a root shell before lunch. A program that carefully selects out what can be done "safely" might be ok. My offhand guess is that it would be far simpler, and more useful, to single out existing commands with no escapes, and put 4754 0/0 permissions on them, or similarly adjust group permissions on the data files they use if that is a feasible way of making them accessible to mortals. A menu-type thingy would have to be flexible to be useful; "Hey George, we want to do lprm too; recompile weenie_root for me, would you?" :-) Enough already. It really is easier to give out the root password; on "modern" systems it can be disabled for a user by removing him from group 0.