More PATH fallout. Who decided this was a good idea?

Callum Lerwick seg at haxxed.com
Sat Dec 6 18:14:37 UTC 2008


On Sat, 2008-12-06 at 12:52 -0500, Steve Grubb wrote:
> On Saturday 06 December 2008 11:56:31 Jesse Keating wrote:
> >  ordinary user cannot possibly use these tools since they do not have the
> >
> > > requisite permissions.
> >
> > Now I'm confused.  Why would the binary have to be suid?
> 
> Because if they didn't type --help, we are going to have to log the attempted 
> compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be 
> setuid root from the beginning or not at all.

On Sat, 2008-12-06 at 12:02 -0600, Callum Lerwick wrote:
> If you're not auditing *every* attempt to open() /etc/shadow at the
> syscall layer 

... IN THE KERNEL

> it sounds to me like
> you are doing it wrong.

> > It seems that the cert folks have a different definition of "use" than
> > we do.  A normal user should be able to use the binary to get help
> > output, and the binary would be useful in path for things like tab
> > completion leading up to a sudo call.
> 
> An unprivileged user cannot successfully use this utility. Just like tcpdump 
> can't be used. The difference is that shadow-utils modifies a trusted database 
> and tcpdump doesn't. 

They can successfully use it to get the help page. I don't need a whole
man page I just need a short reminder of available flags. And I often
strip man and all documentation off most of my secondary systems to save
on disk space and stop !@#$ing makewhatis from pointlessly chewing CPU
and disk IO for no reason.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20081206/f0ce3dbc/attachment.sig>


More information about the fedora-devel-list mailing list