SU vs. ssh root at host

Dan Kaminsky dankamin at cisco.com
Sat Feb 24 13:12:31 EST 2001


All--

    su cannot be run without trusting the shell.  The shell cannot be
trusted without trusting any instructions the shell uses, from library calls
to rc scripts.  Hell, the instructions the shell uses can't even be trusted,
since they're all living in userspace memory.

    By contrast, SSHD is generally a root owned, highly secure environment
with no unpriveledged userspace dependancies.

    So:  For what possible reason would I want to su to root, or any other
account, instead of simply authenticating with the correct UID in the first
place?

    What comes to mind is the concept that only certain users might be
allowed to su to root, and that by forcing to users to log in as themselves,
an accounting of *who* went to root may be done.  This seems to me an
instance where accounting is being valued higher than authorization--a
broken model, since a flaw in authorization will create misleading
accounting logs.

    There are a couple solutions that allow us to retain such accounting,
and do it *securely*, but I'd like to achieve some kind of consensus that
depending on su causes root access to be dependent upon unpriveledged
security, and is thus something to be engineered against.

Yours Truly,

    Dan Kaminsky, CISSP
    www.doxpara.com







More information about the openssh-unix-dev mailing list