-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:24.k5su Security Advisory The FreeBSD Project Topic: k5su utility does not honor `wheel' group Category: kerberos5 Module: kerberos5/usr.bin/k5su Announced: 2002-05-20 Credits: jmallet@FreeBSD.org Affects: FreeBSD 4.4-RELEASE FreeBSD 4.5-RELEASE FreeBSD-STABLE prior to the correction date Corrected: 2002-05-15 12:51:30 UTC (RELENG_4) 2002-05-15 12:56:21 UTC (RELENG_4_5) 2002-05-15 13:04:00 UTC (RELENG_4_4) FreeBSD only: YES I. Background The k5su utility is a SU utility similar to su(1), and is used to switch privileges after authentication using Kerberos 5 or the local passwd(5) file. k5su is installed as part of the `krb5' distribution, or when building from source with MAKE_KERBEROS5 set. Neither of these are default settings. II. Problem Description Historically, the BSD SU utility only allows users who are members of group `wheel' (group-ID 0) to obtain superuser privileges. The k5su utility, however, does not honor this convention and does not verify group membership if a user has successfully authenticated. k5su also lacks other features of su(1), such as checking for password expiration, implementing login classes, and checking for the target user's login shell in /etc/shells. III. Impact Contrary to the expectations of many BSD system administrators, users not in group `wheel' may use k5su to attempt to obtain superuser privileges. Note that this would require knowledge of the root account password, or an explicit entry in the Kerberos 5 `.k5login' ACL for the root account. IV. Solution Remove the set-user-ID bit from the k5su utility: # chmod u-s /usr/bin/k5su This will completely disable k5su. Sites which wish to use Kerberos 5 authentication for SU and are comfortable with its limitations may choose to leave the set-user-ID bit enabled. As of the correction date, FreeBSD (including the upcoming 4.6-RELEASE) will install k5su if requested, but the set-user-ID bit will not be enabled by default. See also the ENABLE_SUID_K5SU option in make.conf(5). VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/UPDATING RELENG_4 1.73.2.67 RELENG_4_5 1.73.2.50.2.12 RELENG_4_4 1.73.2.43.2.12 src/etc/defaults/make.conf RELENG_4 1.97.2.65 RELENG_4_5 1.97.2.59.2.1 RELENG_4_4 1.97.2.58.2.1 src/kerberos5/usr.bin/k5su/Makefile RELENG_4 1.73.2.67 RELENG_4_5 1.97.2.59.2.1 RELENG_4_4 1.1.2.2.2.1 src/share/man/man5/make.conf.5 RELENG_4 1.12.2.16 RELENG_4_5 1.12.2.12.2.1 RELENG_4_4 1.12.2.10.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iQCVAwUBPOkdtFUuHi5z0oilAQFd1wP8CUxrBx+DJhQZqLpOocpF4yd8IWclz4Uu 8I8LT5RaWNKMrOt9FB6/jGthRFNqTL72XeDaezxT72IFSUHIpF9wI87aKNVDknPp vQxh0Pr8/8EqvOLhvT6Hu/20xKrBZe2bht/lUQ/HxrgriaZteTAMfMYL653xgP5U M+0f/mfSm3w= =lTOo -----END PGP SIGNATURE-----