On 03/01/2010 05:03 PM, Ray Kohler wrote: > On Mon, Mar 1, 2010 at 5:58 PM, David C. Rankin > <drankinatty@xxxxxxxxxxxxxxxxxx> wrote: >> On 03/01/2010 01:14 PM, Florian Pritz wrote: >>> On 03/01/2010 07:58 PM, David C. Rankin wrote: >>>> As the comment says, the entry causes pam to implicitly trust members of the >>>> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a >>>> time-saver. >>> >>> PAM itself should be pretty secure, but what you are trying to achieve >>> isn't. There is a reason behind that password prompt. You don't want >>> anyone who gains access to your account (daemons, scripts, ...) to have >>> root access right away without ever asking for a password. If you don't >>> want to type yours that often use sudo -s. >>> >> >> Ed, Florian, >> >> Thank you for your insight. I guess I should have also included the fact that >> the box in question sits in my home-office and physical security isn't an issue. >> Also, there is only one member of the wheel group -- me. >> >> Thinking through the threat scenario, as long as pam is doing its job and only >> allowing members of the wheel group to su without a password, that limits >> vulnerability to (1) a pam exploit or (2) privilege escalation by a user to >> become a member of the wheel group. I see it as pretty minimal, but I guess a >> good compromise is to revert to a password when then machine goes online, but to >> enjoy the convenience while I'm setting the box up while it doesn't have any >> access from the outside. >> >> It worries me to think about the possible security implications, but the lazy >> side of me sure does like the convenience :p > > What would worry me is things like JavaScript exploits and worms - > things that you download and then run as yourself, whether > intentionally or not. A password prompt will block malware like that, > but with no password, you just go owned in one step. > That's what my limited understanding was missing! Good info Ray. When the box goes on-line the comment goes back in /etc/pam.d/su. Thank you for the info I needed. Now why would somebody put that commented ability in ../pam.d/su? Probably for just the exact reasons we have discussed in the thread. Learning has occurred, it's been a good day... -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com
