Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Application Account with System GID - Confirm or rebut my though on the risk?
Top Forums UNIX for Dummies Questions & Answers Application Account with System GID - Confirm or rebut my though on the risk? Post 302087979 by F150 Duke on Thursday 7th of September 2006 04:51:23 PM
Old 09-07-2006
Application Account with System GID - Confirm or rebut my though on the risk?
You guys tell me. Am I wrong on this one? If so, where is the hole in my thoughts?

Thanks,

Duke


Specs:

Solaris version of Unix

"ROOT" primary group is "other" (GID = 1)

Application account (not system account) is assigned to the "other" GID (1).

Issue:

Application account and "ROOT" have the same GID of 1 (designated as "other")

Risk:

If the application account is compromised it could lead to a ROOT compromise because the "other" group is a system group. Also, it could allow the application account unauthorized access to other systems in the network where the group ID "1" (other group ID) is assigned to another group name.

System groups should only be assigned to disabled system accounts because of inconsistency between platform group assignments and the existence of powerful system groups on some Unix systems.

Solution

Remove the application account from the system GID of 1 "other".
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

delete or disable the system generated account

I have this unix version 3.0 "UNIX_SV server 4.0 3.0 3425 Pentium II(TM)-ISA/PCI" can i delete or disable the system generated account as "daemon";"uucp";"sys";"adm";"listen";"bin" and if yes how can i do it? Regards (1 Reply)
Discussion started by: sak900354
1 Replies

2. Forum Support Area for Unregistered Users & Account Problems

new account, not recieving email to confirm

Hello, I registered an account several hours ago, and never recieved the email registration link in my email account. Read the instructions posted here, and requested to resend registration link, and this one also has not shown up in my email acccount. yes, I've checked the bulk folder as... (1 Reply)
Discussion started by: denn
1 Replies

3. UNIX for Dummies Questions & Answers

How to change the system account that a process is running on?

I'm running an Apache server on Ubuntu. When I try to call fopen() in PHP, I get a bunch of permission errors. I searched for advice on this, and I found that I needed to change the system account that Apache runs on. However, I'm not sure how to do this, and I was unable to find the answer on... (3 Replies)
Discussion started by: gloriac991
3 Replies

4. Linux

How to delete a user account in linux bases application.

Hi, Can anyone please guide me how can I remove/block a user from a server access. /usr/sbin/adduser -d /home/john john echo ****** | passwd --stdin john I used the above command to add a user "john". How do I delete and block john. Appreciate your responses. (1 Reply)
Discussion started by: sureshcisco
1 Replies

5. UNIX and Linux Applications

How to delete a user account in linux bases application.

Hi, Can anyone please guide me how can I remove/block a user from a server access. /usr/sbin/adduser -d /home/john john echo ****** | passwd --stdin john I used the above command to add a user "john". How do I delete and block john. Appreciate your responses.... (2 Replies)
Discussion started by: sureshcisco
2 Replies

6. UNIX for Advanced & Expert Users

Link from mount point to sftp account of file system

Hi, Is it possible to do hard link between the mount point of file some structure to the sftp account of some other server ? If possible then what could be the behavior of link properties? Is it could be the same as we found in our environment (unix/linux). Even if we do such link , then it... (1 Reply)
Discussion started by: posix
1 Replies

7. UNIX for Dummies Questions & Answers

Single Application Operating System

I am going to start an ambitious project for my senior year of college. Just as the title says: I want to write a single application operating system that is dedicated to running only one application and none other. I need to build a bare bones UNIX operating system that will use provided binary... (5 Replies)
Discussion started by: unt_engn
5 Replies

8. UNIX for Beginners Questions & Answers

Setting UID and GID for shared folder using NFS method in Linux system

Hi everyone, have a good day to you. I am trying to use NFS to share a folder between 2 linux systems. Let's say the server which is sharing the folder is server A and the client which need to access this shared folder is server B. In server B, i am having a Joe user which UID and GID is 500.... (1 Reply)
Discussion started by: michael_hoang
1 Replies

LEARN ABOUT SUSE

pam_wheel

PAM_WHEEL(8)							 Linux-PAM Manual						      PAM_WHEEL(8)

NAME

       pam_wheel - Only permit root access to members of group wheel

SYNOPSIS

       pam_wheel.so [debug] [deny] [group=name] [root_only] [trust] [use_uid]

DESCRIPTION

       The pam_wheel PAM module is used to enforce the so-called wheel group. By default it permits root access to the system if the applicant
       user is a member of the wheel group. If no group with this name exist, the module is using the group with the group-ID 0.

OPTIONS

       debug
	   Print debug information.

       deny
	   Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of
	   the group option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless trust was also specified, in
	   which case we return PAM_SUCCESS).

       group=name
	   Instead of checking the wheel or GID 0 groups, use the name group to perform the authentication.

       root_only
	   The check for wheel membership is done only.

       trust
	   The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play
	   stacking the modules the wheel members may be able to su to root without being prompted for a passwd).

       use_uid
	   The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one
	   account to another for example).

MODULE TYPES PROVIDED

       The auth and account module types are provided.

RETURN VALUES

       PAM_AUTH_ERR
	   Authentication failure.

       PAM_BUF_ERR
	   Memory buffer error.

       PAM_IGNORE
	   The return value should be ignored by PAM dispatch.

       PAM_PERM_DENY
	   Permission denied.

       PAM_SERVICE_ERR
	   Cannot determine the user name.

       PAM_SUCCESS
	   Success.

       PAM_USER_UNKNOWN
	   User not known.

EXAMPLES

       The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non-root applicants.

	   su	   auth     sufficient	   pam_rootok.so
	   su	   auth     required	   pam_wheel.so
	   su	   auth     required	   pam_unix.so

SEE ALSO

       pam.conf(5), pam.d(5), pam(8)

AUTHOR

       pam_wheel was written by Cristian Gafton <gafton@redhat.com>.

Linux-PAM Manual						    04/01/2010							      PAM_WHEEL(8)
All times are GMT -4. The time now is 12:10 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy