[arch-general] Tired of being asked for a password for "su"? Arch has the solution

David C. Rankin drankinatty at suddenlinkmail.com
Tue Mar 2 18:39:30 EST 2010 

On 03/01/2010 05:03 PM, Ray Kohler wrote:
> On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin
> <drankinatty at suddenlinkmail.com> wrote:
>> On 03/01/2010 01:14 PM, Florian Pritz wrote:
>>> On 03/01/2010 07:58 PM, David C. Rankin wrote:
>>>>      As the comment says, the entry causes pam to implicitly trust members of the
>>>> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a
>>>> time-saver.
>>>
>>> PAM itself should be pretty secure, but what you are trying to achieve
>>> isn't. There is a reason behind that password prompt. You don't want
>>> anyone who gains access to your account (daemons, scripts, ...) to have
>>> root access right away without ever asking for a password. If you don't
>>> want to type yours that often use sudo -s.
>>>
>>
>> Ed, Florian,
>>
>>        Thank you for your insight. I guess I should have also included the fact that
>> the box in question sits in my home-office and physical security isn't an issue.
>> Also, there is only one member of the wheel group -- me.
>>
>>        Thinking through the threat scenario, as long as pam is doing its job and only
>> allowing members of the wheel group to su without a password, that limits
>> vulnerability to (1) a pam exploit or (2) privilege escalation by a user to
>> become a member of the wheel group. I see it as pretty minimal, but I guess a
>> good compromise is to revert to a password when then machine goes online, but to
>> enjoy the convenience while I'm setting the box up while it doesn't have any
>> access from the outside.
>>
>>        It worries me to think about the possible security implications, but the lazy
>> side of me sure does like the convenience :p
> 
> What would worry me is things like JavaScript exploits and worms -
> things that you download and then run as yourself, whether
> intentionally or not. A password prompt will block malware like that,
> but with no password, you just go owned in one step.
> 

That's what my limited understanding was missing! Good info Ray. When the box
goes on-line the comment goes back in /etc/pam.d/su. Thank you for the info I
needed.

Now why would somebody put that commented ability in ../pam.d/su? Probably for
just the exact reasons we have discussed in the thread. Learning has occurred,
it's been a good day...

-- 
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com

More information about the arch-general mailing list