[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More PATH fallout. Who decided this was a good idea?





On Sat, 6 Dec 2008, Steve Grubb wrote:

On Saturday 06 December 2008 12:58:11 Joe Nall wrote:
Because if they didn't type --help, we are going to have to log the  
attempted compromise. Sending an audit event requires CAP_AUDIT_WRITE. You
have to be setuid root from the beginning or not at all.

Can't a non-root user audit now that we have file system capabilities?

Yes, but so far the only test we tried was soundly rejected by the Fedora
community. So, I think this is a non-starter. If we couldn't do ping, we
definitely can't do shadow-utils.

But even if we did use the filesystem capabilities, now you have a program with
elevated privileges and much more work has to be done to prove that its safe,
document its internal logic, and test its protection. Any program with file
system capabilities becomes a target for attack.

And all this work just for --help ?  Seriously.


I think the resistance you're getting is how binaries (to a person running as non-root) appear to be vanishing. Things they could do, they suddenly cannot. And the justification appears to be a certification that fedora has never decided to pursue.

You see the reason for the pushback?

-sv

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]