Re: Problem running a setuid Perl script on CentOS 4.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Nov 16, 2007 11:16 AM, James Olin Oden <james.oden@xxxxxxxxx> wrote:
> On 11/16/07, Alfred von Campe <alfred@xxxxxxxxxxxxx> wrote:
> > On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
> >
> > > Being aware of the security implications, do you have
> > > perl-suidperl-X.rpm installed?
> >
> > I meant I was aware of the implications of running setuid scripts.  I
> > was not aware that CentOS' upstream provider had packaged suidperl
> > separately.  Installing this package solved my problem.  However, I
> > am pursuing an sudo solution at the moment that may work even better
> > for me.
> >
> setuid scripts are not by their nature bad as some would propose.  As
> a matter of fact without using a system with mandetory access controls
> like SELinux, they can be effective tools to enhance overal security
> provided you follow some simple
> guidelines quite rigorously:
>
>    - As soon as you start de-elevate your privileges.
>    - Only elevate your privileges for as long as you need to (as an example
>      one may need root to open certain files, but once its opened you do
>      not need root to read and write the file).
>    - Try to keep the setuid program as simple as possible.  If there
> is a point where
>      it can throw away its privileges forever then do so.
>    - Be very rigorous in determining that a user in the current
> context they are in
>      should be using the setuid script.
>
> I think the key word in alll that is "rigor" and though not used, "aware".
>
> Cheers...james
>

Good suggestions.  Also keep in mind that you don't always suid to
root.  You can also suid to another user (which seems to be the case
here).
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux