Export

Alexandre Strube surak at surak.eti.br
Tue Jan 13 11:43:20 UTC 2004


Em Ter, 2004-01-13 às 00:33, David L Norris escreveu:

> > But by commenting out the uid check, you're adding /sbin, /usr/sbin, and
> > /usr/local/sbin, to the environment of all users on the system. My
> > understanding is that this is a no-no when it comes to securing the
> > system.
> Placing /usr/sbin in the PATH may break applications which use the PAM
> consolehelper.  Which means programs that must run as root (e.g.
> redhat-config-*) will not properly prompt for a password.  Those
> applications will instead fail to run at all or run unprivileged causing
> confusion and frustration.

This is not true - on every rehat system since 8.0 I've been doing this.
No machine had reduced funtionality because of it. In fact, the opposite
happened. Try for yourselves, then tell me.

> If one feels they must place /usr/sbin in the PATH for normal users then
> make sure it is the very last item (i.e. pathmunge /usr/sbin after). 
> For non-root users the PATH should be similar to this:
>   PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin

You are right - but it's working anyway, even with the 'wrong' order, on
my systems. But just setting the path is something I would not call a
'security issue' - any script kiddie knows where to find these programs
even when the path is not available - in fact, most of their 'cake
recipes' use full path :-)


-- 
[]s

Alexandre Ganso 
500 FOUR vermelha - Diretor Steel Goose Moto Group





More information about the fedora-list mailing list