More PATH fallout. Who decided this was a good idea?
Les Mikesell
lesmikesell at gmail.com
Sat Dec 6 21:29:55 UTC 2008
Steve Grubb wrote:
> On Saturday 06 December 2008 11:56:31 Jesse Keating wrote:
>> ordinary user cannot possibly use these tools since they do not have the
>>
>>> requisite permissions.
>> Now I'm confused. Why would the binary have to be suid?
>
> Because if they didn't type --help, we are going to have to log the attempted
> compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be
> setuid root from the beginning or not at all.
OK, so log it. Why do we care? If someone thinks that typing a program
name is an attempted compromise they are so far wrong already that
nothing else you can do will help.
>> It seems that the cert folks have a different definition of "use" than
>> we do. A normal user should be able to use the binary to get help
>> output, and the binary would be useful in path for things like tab
>> completion leading up to a sudo call.
>
> An unprivileged user cannot successfully use this utility. Just like tcpdump
> can't be used. The difference is that shadow-utils modifies a trusted database
> and tcpdump doesn't.
It is whether or not you can successfully open the trusted database that
matters, not whether or not some program attempts the open. Anyone with
access to any program at all that accepts filenames has exactly the
same access to the shadow file as the shadow-utils program. That's the
whole point of a unix-like system: everything is a file and all the
access control magic has to do with whether or not you can open that file.
>
> If you need to see the command options, look at the man page. That's what its
> there for.
How do you deal with ifconfig which has obviously useful information for
ordinary users and potentially destructive capability for privileged
users?
--
Les Mikesell
lesmikesell at gmail.com
More information about the fedora-devel-list
mailing list