On 03/01/2010 01:14 PM, Florian Pritz wrote:
> On 03/01/2010 07:58 PM, David C. Rankin wrote:
>> As the comment says, the entry causes pam to implicitly trust members
>> of the
>> wheel group. Eliminating the need to type a 14 char pw 10 times a day is a
>> time-saver.
>
> PAM itself should be pretty secure, but what you are trying to achieve
> isn't. There is a reason behind that password prompt. You don't want
> anyone who gains access to your account (daemons, scripts, ...) to have
> root access right away without ever asking for a password. If you don't
> want to type yours that often use sudo -s.
>
Ed, Florian,
Thank you for your insight. I guess I should have also included the
fact that
the box in question sits in my home-office and physical security isn't an issue.
Also, there is only one member of the wheel group -- me.
Thinking through the threat scenario, as long as pam is doing its job
and only
allowing members of the wheel group to su without a password, that limits
vulnerability to (1) a pam exploit or (2) privilege escalation by a user to
become a member of the wheel group. I see it as pretty minimal, but I guess a
good compromise is to revert to a password when then machine goes online, but to
enjoy the convenience while I'm setting the box up while it doesn't have any
access from the outside.
It worries me to think about the possible security implications, but
the lazy
side of me sure does like the convenience :p
--
David C. Rankin, J.D.,P.E.
Rankin Law Firm, PLLC
510 Ochiltree Street
Nacogdoches, Texas 75961
Telephone: (936) 715-9333
Facsimile: (936) 715-9339
www.rankinlawfirm.com
