Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Sun
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: root group in solaris

from [Levenglick, Jeff] Network Security [Permanent Link]
Subject: RE: root group in solaris
Date: Mon, 18 Sep 2006 14:09:10 -0400 
What???????????????????

1) 'Wheel' is a bsd term/group. He is talking about Solaris. No wheels
here.
You pretty much repeated what he asked, which was to add them to the
root group.

2) From a security point of view: (better to worse)
RBAC type of setup 
Sudu type of program
Acl's (used with suid and sgid's)
Sticky bit on the group
Sticky bit on the owner
Adding someone to the root group

Reasons - 

RBAC and Sudu's can get you better control and logging. Also limit what
someone can or can not do. You must configure.

Acl's - again, you configure and know what you gave access to.

Sticky bits can be a nightmare for tracking down problems. Log
files...ect would have root as the group/owner. You also need to get
every file. (would be really bad if you sticky bit a directory :) ) I
don't mean every file on the system, but all files need to correctly
admin the system. 
You also should use with ACL's to make sure you not opening your system
security to all users)

Adding them to the group - will not give them all the files. If I
remember correctly, a lot of the files do not have root as the group
owner. (some have sys, bin, lp   ...ect)

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of Freeman, Michael
Sent: Monday, September 18, 2006 1:23 PM
To: dubaisans dubai; focus-sun@securityfocus.com
Subject: RE: root group in solaris

Typically you would add someone to the 'wheel' user group on a UNIX
system if you want them to have those privileges. You must make sure
that the tools you want users to have access to are also members of the
'wheel' group (chgrp), if it is not already setup that way by default.

http://en.wikipedia.org/wiki/Unix_security
http://www.onlamp.com/pub/a/bsd/2000/09/13/FreeBSD_Basics.html 

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
On Behalf Of dubaisans dubai
Sent: Monday, September 18, 2006 7:50 AM
To: focus-sun@securityfocus.com
Subject: root group in solaris

Hi,

I would like to give root user privileges to a set of OS administrators.
Everyone has individual user-ids on the system.
Currently they login with their personal ID and then SU to root. I donot
want to share root password with these many people.

I am thinking of adding all these users to the "root" group[GID 0].
Will it provide root-equivalent UID O access to these users. If not why
? Does the "root" group not have root user-id equivalent privileges?

Is it possible manually to make the GID 0 privileges equivalant of UID
O?

How else can I give these individual users root privileges - make all of
them UID 0 or something.? Is that a smart idea?

I am looking at something simpler than SUDO or RBAC


-----------------------------------------
This e-mail message is private and may contain confidential or
privileged information.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: root group in solaris, Freeman, Michael
Next by Date:  RE: root group in solaris, Fontanez Martin
Previous by Thread:  Re: root group in solaris, Arthur A. Lehmann III
Next by Thread:  RE: root group in solaris, Fontanez Martin
Indexes:  [Date] [Thread] [Top] [All Lists]