pfr give me your thoughts?
- This works only on Linux.
- Setting
cap_set{u,g}id
on a program is good, but then, you immediately do set{u,g}id(0); exec()
. This defeats the whole purpose of having capabilities. You might just as well have installed this program setuid instead.
- Doesn't even ask for a password, or make any auth checks. Anybody can become
root
using this.
pfr I still to this day use the suas
sued
suec
scripts from this thread.
Ah, there's a terrible security bug in the simple version of sued
which I completely forgot about. Fixed.
Is this the version of suec
you have?
#!/bin/sh
. ~/bin/q.sh
exec su root -c "$(q "$@")"
Don't recall what suas
is...
pfr The only downside I've found using onlu su
so far is that there is no persist option and I am required to type my password every single time.
Sometime after you asked this, I thought up a quirky technique to do just this using standard su
-- and then promptly forgot until you bumped this thread up. Thought it up again. Here it is:
Assumptions:
- User running
su
is in group wheel
.
- The only way to login into the system is via SSH or in a terminal using
login
. (Ie. other services like telnet
, ftp
, ... are off.)
Steps:
- Remove
root
's password. (ie. the password is empty.)
- Make sure
root
can't login via SSH.
The PermitRootLogin
setting should be turned off, or commented out (the latter is the default these days).
$ fgrep PermitRootLogin /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
$
- Ensure
root
can't login on a terminal either.
Remove the secure
word from the on
entries in /etc/ttys
.
The end result should be that any user belonging to wheel
should be able to su root
w/o a password. And, you also can't login as root in any other way.