Re: Sudo from scripts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Nov 17, 2008 at 05:42:45PM +0000, g wrote:
> Hash: SHA1
> 
> Jerry Feldman wrote:
> 
> > Giving root ownership to a script IMHO is a security issue.
> 
> this is true. i have always wondered why nothing has ever been coded to check
> 'chown' to insure that such is only done by those who have proper authority.
> 
> > Actually, the backup 
> > script probably should have been run as root via a root crontab in the 
> > first place.
> 
> many times, backups need be run by a 'user', but they should only be allowed
> to back up their own files.
> 
> yet there is a big hole in that 'user' can backup a lot of 'system' files.
> another problem and potential breach of security. i hope that such as this
> would be covered by selinux, but i do not believe it has.

Backing up those (system) files that a user can just read in the normal
set of events is not a security issue.   The serious risk is on the
restore side of things.   For example /etc/passwd needs to be +read
for the world by contrast /etc/shadow cannot be read.

Interpreted programs -- bash, perl, python must be +read!   Note that 
the run time load/linker must read information from binary objects.
In fact it must do a bit of editing -- see also prelink.
It might be possible to add attributes to each section of an object
(see objdump) such that specific read write bits and security 
attributes exist and are enforced per section (I do not recommend such
an RFE). 

There may be an issue if software is purchased and unauthorized copies leave
the building but that is a different component of security.
 

-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux