set-uid root /usr/lib/nspluginwrapper/plugin-config

Stephen Smalley sds at tycho.nsa.gov
Thu Apr 17 14:01:32 UTC 2008


On Mon, 2008-04-14 at 16:08 -0400, Chris Ricker wrote:
> On Mon, 14 Apr 2008, Chuck Anderson wrote:
> 
> > On Mon, Apr 14, 2008 at 03:57:56PM -0400, Jesse Keating wrote:
> > > On Mon, 2008-04-14 at 15:46 -0400, Chuck Anderson wrote:
> > > > Why is this program set-uid root?
> > > > 
> > > > ls -l /usr/lib/nspluginwrapper/plugin-config  
> > > > -rwsr-xr-x 1 root root 60048 2008-03-11
> > > > 10:02 /usr/lib/nspluginwrapper/plugin-config*
> > > > 
> > > > https://bugzilla.redhat.com/show_bug.cgi?id=442065
> > > 
> > > Probably so that it can create files in /usr/lib/mozilla when a user
> > > downloads a plugin via their browser.
> > 
> > That just seems wrong.  If a user can download a plugin, it should be 
> > put in ~/.mozilla/plugins.  A user shouldn't be able to force a plugin 
> > into a system-wide directory.
> 
> See https://bugzilla.redhat.com/show_bug.cgi?id=334311 for more history on 
> it

Does it have its own domain in policy so that it is at least confined to
only those capabilities it requires and only to access those files it
requires?

Although that won't help from default user shell of unconfined_t.

-- 
Stephen Smalley
National Security Agency




More information about the fedora-devel-list mailing list