More PATH fallout. Who decided this was a good idea?
Steve Grubb
sgrubb at redhat.com
Sat Dec 6 18:05:14 UTC 2008
On Saturday 06 December 2008 12:58:11 Joe Nall wrote:
> > Because if they didn't type --help, we are going to have to log the
> > attempted compromise. Sending an audit event requires CAP_AUDIT_WRITE. You
> > have to be setuid root from the beginning or not at all.
>
> Can't a non-root user audit now that we have file system capabilities?
Yes, but so far the only test we tried was soundly rejected by the Fedora
community. So, I think this is a non-starter. If we couldn't do ping, we
definitely can't do shadow-utils.
But even if we did use the filesystem capabilities, now you have a program with
elevated privileges and much more work has to be done to prove that its safe,
document its internal logic, and test its protection. Any program with file
system capabilities becomes a target for attack.
And all this work just for --help ? Seriously.
-Steve
More information about the fedora-devel-list
mailing list