[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: trust [was Re: Open Xlock as root]



On 16/12/99 Michael K. Johnson wrote:

That's one of the reasons that I've felt kind of queasy about including
root password unlocking in vlock; it occurred to me when I first wrote it,
and it's been uneasily in the back of my head ever since.  I feel like I
am participating in conditioning admins to give the root password out too
easily.  :-(

you know, why not just use pam_pwdfile to check a special passwd file where the admin can add a new [xv]unlocker passwd, not nearly as bad if that passwd is broken, it could even be shadowed by making the official vlock setgid something. this is similar to the discussion about a new module, i had forgotten that such a module already exists.


In order to be safe from this particular form of abuse, it is at least
necessary that untrusted users be unable to add the executable bit to
any file, or make the executable bit meaningless in areas that the user
can write.  That is most often done by mounting /home, /tmp, /var/tmp,
etc. with the noexec option.

this is a bit Draconian... and i think mounting /tmp and /var/tmp noexec will cause problems on many systems. (debian for example executes scripts in /var/tmp during dpkg installs so root has to remount it everytime something is to be installed)


you would more then likely have to mount the entire /var filesystem noexec to really have any effect since there are still several world writable directories there. (tetex /var/lock on some systems, etc etc) and i bet there is definitely problems mounting /var noexec.

Ethan



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []