S 4.21 Preventing unauthorised acquisition of administrator rights

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The su command may provide each user with super user rights if he/she disposes of the corresponding password. Since the number of erroneous attempts for su is not limited, there is an increased risk of the password being found out by systematically trying with the help of corresponding programs. Therefore, su should only be available to the super user. Alternatively, a modified su may be installed where the number of unsuccessful attempts is limited, the waiting time until the next possible retrieval of su is prolonged after each unsuccessful login attempt, and the execution and/or the terminal is disabled after a certain number of unsuccessful attempts. Every use of the su command should be logged.

If permitted by the system, the login name of the super user may be changed from root. However, only administrative logins should be created as additional super users (see S 2.33 Division of administrator roles under Unix).

The administrator must only work from the console in order to prevent his/her password from being disclosed if the line is intercepted. In Solaris, this may be achieved by configuring the /etc/default/login file accordingly, for example. Alternatively, security functions preventing administrator passwords from being intercepted can be used. Examples for suitable mechanisms include Secure Shell (see safeguard S 5.64 Secure Shell) and one-time passwords (see safeguard S 5.34 Use of one-time passwords).

Regarding BSD Unix, root may only log in to terminals identified as being secure in the /etc/ttytab file. If this option has been removed for all terminal entries, an administrator may only use the su command to log into a terminal as root. It should be considered to create a user group which the execution of the su command is restricted to.

If the /etc/ttytab file shows the console to be secure in BSD Unix, no password will be queried when booting in single-user mode, which is why this entry must be removed.

The /etc/ftpusers file contains the login names that must not login via ftp. For ftp, the passwords are transmitted via an unprotected clear text connection. Therefore, administrative accesses (root, bin, daemon, sys, adm, lp, smtp, uucp, nuucp, etc.) should be entered here. For some default installations, root cannot be found in this file.

If a user and/or a user program executes a super user file (files with root as owner and set s-bit), this user and/or this program is granted super user rights during execution. This is required for certain applications, but may also be misused. Therefore, it must be ensured that only the absolutely necessary program files are super user files and that no further super user files are added by third parties.

Automatically mounting devices for removable data media:

Any user may then obtain super user rights using the s-bit programs stored on the mounted drive. Therefore, automatic mounting should be handled restrictively. Some Unix versions offer the mount command as an option, resulting in the s-bit being ignored for the corresponding file system. For removable data media, using this option should be considered.

When sharing directories that may be mounted by other computers, the restrictions described in S 5.17 Use of the NFS security mechanisms must be observed. In particular, no directories with root rights should be shared and directories with write rights should be shared only if required.

This safeguard is complemented by safeguard S 4.18 Administrative and technical means to control access to the system-monitor and single-user mode.

Review questions:

© Federal Office for Information Security. All rights reserved.