More PATH fallout. Who decided this was a good idea?
Seth Vidal
skvidal at fedoraproject.org
Sat Dec 6 18:14:09 UTC 2008
On Sat, 6 Dec 2008, Steve Grubb wrote:
> On Saturday 06 December 2008 12:58:11 Joe Nall wrote:
>>> Because if they didn't type --help, we are going to have to log the
>>> attempted compromise. Sending an audit event requires CAP_AUDIT_WRITE. You
>>> have to be setuid root from the beginning or not at all.
>>
>> Can't a non-root user audit now that we have file system capabilities?
>
> Yes, but so far the only test we tried was soundly rejected by the Fedora
> community. So, I think this is a non-starter. If we couldn't do ping, we
> definitely can't do shadow-utils.
>
> But even if we did use the filesystem capabilities, now you have a program with
> elevated privileges and much more work has to be done to prove that its safe,
> document its internal logic, and test its protection. Any program with file
> system capabilities becomes a target for attack.
>
> And all this work just for --help ? Seriously.
>
I think the resistance you're getting is how binaries (to a person running
as non-root) appear to be vanishing. Things they could do, they suddenly
cannot. And the justification appears to be a certification that fedora
has never decided to pursue.
You see the reason for the pushback?
-sv
More information about the fedora-devel-list
mailing list