Export
David L Norris
dave at webaugur.com
Tue Jan 13 03:33:02 UTC 2004
On Mon, 2004-01-12 at 19:35, Adam Kosmin wrote:
> But by commenting out the uid check, you're adding /sbin, /usr/sbin, and
> /usr/local/sbin, to the environment of all users on the system. My
> understanding is that this is a no-no when it comes to securing the
> system.
Security-wise its irrelevant except that it may cause administrators
think they have to login as root to run programs with root privileges.
Placing /usr/sbin in the PATH may break applications which use the PAM
consolehelper. Which means programs that must run as root (e.g.
redhat-config-*) will not properly prompt for a password. Those
applications will instead fail to run at all or run unprivileged causing
confusion and frustration.
This one is meant for normal users (i.e. it asks for the root password):
$ ls -l /usr/bin/redhat-config-network
lrwxrwxrwx 1 root root 13 Nov 13 15:00
/usr/bin/redhat-config-network -> consolehelper*
This one is meant for root (consolehelper executes this one):
$ ls -l /usr/sbin/redhat-config-network
-rwxr-xr-x 1 root root 178 Oct 28 08:11
/usr/sbin/redhat-config-network*
If one feels they must place /usr/sbin in the PATH for normal users then
make sure it is the very last item (i.e. pathmunge /usr/sbin after).
For non-root users the PATH should be similar to this:
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin
--
David Norris
http://www.webaugur.com/dave/
ICQ - 412039
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040112/9acec4a9/attachment-0001.sig>
More information about the fedora-list
mailing list