[arch-general] Tired of being asked for a password for "su"? Arch has the solution
David C. Rankin
drankinatty at suddenlinkmail.com
Mon Mar 1 17:58:47 EST 2010
On 03/01/2010 01:14 PM, Florian Pritz wrote:
> On 03/01/2010 07:58 PM, David C. Rankin wrote:
>> As the comment says, the entry causes pam to implicitly trust members of the
>> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a
>> time-saver.
>
> PAM itself should be pretty secure, but what you are trying to achieve
> isn't. There is a reason behind that password prompt. You don't want
> anyone who gains access to your account (daemons, scripts, ...) to have
> root access right away without ever asking for a password. If you don't
> want to type yours that often use sudo -s.
>
Ed, Florian,
Thank you for your insight. I guess I should have also included the fact that
the box in question sits in my home-office and physical security isn't an issue.
Also, there is only one member of the wheel group -- me.
Thinking through the threat scenario, as long as pam is doing its job and only
allowing members of the wheel group to su without a password, that limits
vulnerability to (1) a pam exploit or (2) privilege escalation by a user to
become a member of the wheel group. I see it as pretty minimal, but I guess a
good compromise is to revert to a password when then machine goes online, but to
enjoy the convenience while I'm setting the box up while it doesn't have any
access from the outside.
It worries me to think about the possible security implications, but the lazy
side of me sure does like the convenience :p
--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
More information about the arch-general
mailing list