Date: Mon, 25 Jul 2016 15:13:51 +0300 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: "Eric W. Biederman" <ebiederm@...ssion.com>, pkg-shadow-devel@...ts.alioth.debian.org Subject: Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package Replying out of context (not related to the specific getlogin() issue): On Mon, Jul 25, 2016 at 10:39:30AM +0200, Sebastian Krahmer wrote: > Err, sorry. Shared UID, different name As a special case, this is common practice for UID 0 (root) accounts of multiple sysadmins, providing poor man's accountability (due to the different account names getting in all the usual logs, without having to check which specific SSH key, etc. was used for a given login session). We even have a tool to support it for single-user mode logins as well: http://www.openwall.com/msulogin/ The far more common alternative to it is to use su or sudo from the multiple sysadmins' non-root accounts. A problem with it is that if use of those non-root accounts is not restricted solely to su/sudo from them, but they are also used to run other programs as non-root, then any of those other programs may take over the root account (possibly in multiple steps, such as by substituting shell aliases and waiting for the sysadmin to run su/sudo next time). To avoid this, we'd arrive at the need to have two non-root accounts per sysadmin (and to have su/sudo available to only one set of those accounts, so as not to expose those programs' vulnerabilities to the other set of accounts, nor to regular users of the system, unnecessarily), - or to have per-sysadmin root accounts. The latter is simpler. Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ