Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 25 Jul 2016 15:13:51 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
	pkg-shadow-devel@...ts.alioth.debian.org
Subject: Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package

Replying out of context (not related to the specific getlogin() issue):

On Mon, Jul 25, 2016 at 10:39:30AM +0200, Sebastian Krahmer wrote:
> Err, sorry. Shared UID, different name

As a special case, this is common practice for UID 0 (root) accounts of
multiple sysadmins, providing poor man's accountability (due to the
different account names getting in all the usual logs, without having to
check which specific SSH key, etc. was used for a given login session).
We even have a tool to support it for single-user mode logins as well:

http://www.openwall.com/msulogin/

The far more common alternative to it is to use su or sudo from the
multiple sysadmins' non-root accounts.  A problem with it is that if use
of those non-root accounts is not restricted solely to su/sudo from
them, but they are also used to run other programs as non-root, then any
of those other programs may take over the root account (possibly in
multiple steps, such as by substituting shell aliases and waiting for
the sysadmin to run su/sudo next time).  To avoid this, we'd arrive at
the need to have two non-root accounts per sysadmin (and to have su/sudo
available to only one set of those accounts, so as not to expose those
programs' vulnerabilities to the other set of accounts, nor to regular
users of the system, unnecessarily), - or to have per-sysadmin root
accounts.  The latter is simpler.

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ