Directory structures in the future and other things I want.
Stephen John Smoogen
smooge at gmail.com
Thu Mar 27 23:53:17 UTC 2008
2008/3/27 Jeff Spaleta <jspaleta at gmail.com>:
>
>
> 2008/3/27 Jesse Keating <jkeating at redhat.com>:
>
> >
> >
> > Again, this argument is bunk. If they're not supposed to be ran by
> > normal users, hiding them behind a path is no form of security. One can
> > just run the full path to it. If they're not supposed to be ran by
> > users, they should have correct permissions on them, or they should
> > check EUID of the caller before doing anything.
> >
>
>
> The question is, do we have programs down the sbins that make the wrong
> assumption about path segregation equalling protection? And if so, how
> many? The obvious ones to me that need scrutiny are the executables that
> are setuid root. Do we need to take some extra care about those setuid'd
> executables?
>
Not that I have run into.. the main thing is you need to make the path
in the right order:
/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin.
That way the console helper and other apps in /bin get called so they
are asked "Do you want to su to do that" for the protected apps.
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the fedora-devel-list
mailing list