Re: Serious attack vector on pkcheck ignored by Red Hat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Wed, February 15, 2017 2:38 pm, Gordon Messmer wrote:
> On 02/15/2017 12:08 PM, Valeri Galtsev wrote:
>> /run/screen/S-<user> - NOT on CentOS 5
>> /var/spool/samba - NOT on CentOS 5 that needs extra security - in our
shop;
>
>
> To be pedantic: screen definitely creates a user-writable directory on
CentOS 5, in a different location, and samba will include that directory
if installed.  It can be really hard to make sure everything required is
mounted noexec when some of these directories are automatically created
by SUID or SGID binaries, in response to user actions.

Sure, I agree. Screen itself is SGID group screen and no SUID. One needs
to watch for places with group screen write permission, that they do not
live anywhere that is not noexec mounted. And we never had SAMBA whenever
we went to that length in restricting users... All in all virtualization
made our lives easier (I'm using FreeBSD jails to compartmentalize
immiscible things these days, I bet Linux has its lightweight equivalent,
and likely more than one).

Valeri

>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++




_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux