Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20160725121351.GA746@openwall.com>
Date: Mon, 25 Jul 2016 15:13:51 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: "Eric W. Biederman" <ebiederm@...ssion.com>,
	pkg-shadow-devel@...ts.alioth.debian.org
Subject: Re: Re: [Pkg-shadow-devel] subuid security patches for shadow package

Replying out of context (not related to the specific getlogin() issue):

On Mon, Jul 25, 2016 at 10:39:30AM +0200, Sebastian Krahmer wrote:
> Err, sorry. Shared UID, different name

As a special case, this is common practice for UID 0 (root) accounts of
multiple sysadmins, providing poor man's accountability (due to the
different account names getting in all the usual logs, without having to
check which specific SSH key, etc. was used for a given login session).
We even have a tool to support it for single-user mode logins as well:

http://www.openwall.com/msulogin/

The far more common alternative to it is to use su or sudo from the
multiple sysadmins' non-root accounts.  A problem with it is that if use
of those non-root accounts is not restricted solely to su/sudo from
them, but they are also used to run other programs as non-root, then any
of those other programs may take over the root account (possibly in
multiple steps, such as by substituting shell aliases and waiting for
the sysadmin to run su/sudo next time).  To avoid this, we'd arrive at
the need to have two non-root accounts per sysadmin (and to have su/sudo
available to only one set of those accounts, so as not to expose those
programs' vulnerabilities to the other set of accounts, nor to regular
users of the system, unnecessarily), - or to have per-sysadmin root
accounts.  The latter is simpler.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.