r123 - in trunk/text: chapter01 chapter07

robert at linuxfromscratch.org robert at linuxfromscratch.org
Sat Jan 22 12:01:47 PST 2005


Author: robert
Date: 2005-01-22 13:01:46 -0700 (Sat, 22 Jan 2005)
New Revision: 123

Modified:
   trunk/text/chapter01/changelog.txt
   trunk/text/chapter07/01-suid.txt
Log:
added suers group for /bin/su

Modified: trunk/text/chapter01/changelog.txt
===================================================================
--- trunk/text/chapter01/changelog.txt	2005-01-22 15:56:24 UTC (rev 122)
+++ trunk/text/chapter01/changelog.txt	2005-01-22 20:01:46 UTC (rev 123)
@@ -17,5 +17,6 @@
 
 January 21st, 2005 [Robert]
 Added --with-gnu-ld to e2fsprogs to deal with broken configure script, this
-is only a cosmetic issue.
+is only a cosmetic issue. Added an suers group, and restricted /bin/su to
+that group in chapter07/suid.txt.
 

Modified: trunk/text/chapter07/01-suid.txt
===================================================================
--- trunk/text/chapter07/01-suid.txt	2005-01-22 15:56:24 UTC (rev 122)
+++ trunk/text/chapter07/01-suid.txt	2005-01-22 20:01:46 UTC (rev 123)
@@ -43,10 +43,16 @@
 /bin/ping
 /bin/passwd
 
-# If you only want certain users to be able to use su(1) you can simply add
-# those users to /etc/group's group 'root' and remove world permissions from
-# /bin/su. Another solution would be to add users to an suers' group, and
-# chgrp the /bin/su program.
+# su should be restricted to only users authorized to use su. Using unix
+# permissions works very well for this. Add an suers group, change the
+# group ownership of su to that group, and remove world permissions from su.
 
-chmod o-rx /bin/su
+groupadd suers &&
+chgrp suers /bin/su &&
+chmod 4750 /bin/su
 
+# Now 'ls -l /bin/su' should look like this:
+# -rwsr-x---  1 root suers 31088 2004-12-18 02:19 /bin/su
+
+# Users authorized to use su must be added to the 'suers' group.
+




More information about the hlfs-dev mailing list