Re: Sudo from scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-11-17 at 21:56 +0000, g wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Patrick O'Callaghan wrote:
> 
> > WHat do you mean? Chown runs as the user, so the permissions are those
> > of the user. What else should it do?
> 
> to clarify to a collage professor level. [excuse satire]
> 
> 'chown' allows changing ownership with out regard as to who change is being
> made to.
> 
> if i write a destructive script or program, change permissions to '777'
> then change ownership and group to root, would this not be a security risk.

You can do that if you're root. Otherwise you can't. You can do lots of
idiotic things as root. What's your point?

> therefore, to prevent such, 'chown' should not be able to change ownership
> with out checking to ensure that user making change is of required authority.

The "user" is *root*, otherwise chown will fail. Note that the standard
chown command is not setuid, i.e. the real and effective user ids are
the same, and of course the command calls chown(2), the man page of
which says:

        Only  a privileged process (Linux: one with the CAP_CHOWN
        capability) may change the owner of a file.

You seem to be suggesting that root should be able to change to some
owners and not to others. That may well be a sensible security policy in
some contexts, but the basic Unix security model is not rich enough to
express it since root is all-powerful (SElinux is a different story).

poc

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux