On Nov 16, 2007 11:16 AM, James Olin Oden <james.oden@xxxxxxxxx> wrote:
> On 11/16/07, Alfred von Campe <alfred@xxxxxxxxxxxxx> wrote:
> > On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
> >
> > > Being aware of the security implications, do you have
> > > perl-suidperl-X.rpm installed?
> >
> > I meant I was aware of the implications of running setuid scripts. I
> > was not aware that CentOS' upstream provider had packaged suidperl
> > separately. Installing this package solved my problem. However, I
> > am pursuing an sudo solution at the moment that may work even better
> > for me.
> >
> setuid scripts are not by their nature bad as some would propose. As
> a matter of fact without using a system with mandetory access controls
> like SELinux, they can be effective tools to enhance overal security
> provided you follow some simple
> guidelines quite rigorously:
>
> - As soon as you start de-elevate your privileges.
> - Only elevate your privileges for as long as you need to (as an example
> one may need root to open certain files, but once its opened you do
> not need root to read and write the file).
> - Try to keep the setuid program as simple as possible. If there
> is a point where
> it can throw away its privileges forever then do so.
> - Be very rigorous in determining that a user in the current
> context they are in
> should be using the setuid script.
>
> I think the key word in alll that is "rigor" and though not used, "aware".
>
> Cheers...james
>
Good suggestions. Also keep in mind that you don't always suid to
root. You can also suid to another user (which seems to be the case
here).
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
