Steve Grubb wrote:
On Saturday 06 December 2008 11:56:31 Jesse Keating wrote:
ordinary user cannot possibly use these tools since they do not have the
requisite permissions.
Now I'm confused. Why would the binary have to be suid?
Because if they didn't type --help, we are going to have to log the attempted
compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be
setuid root from the beginning or not at all.
OK, so log it. Why do we care? If someone thinks that typing a program
name is an attempted compromise they are so far wrong already that
nothing else you can do will help.
It seems that the cert folks have a different definition of "use" than
we do. A normal user should be able to use the binary to get help
output, and the binary would be useful in path for things like tab
completion leading up to a sudo call.
An unprivileged user cannot successfully use this utility. Just like tcpdump
can't be used. The difference is that shadow-utils modifies a trusted database
and tcpdump doesn't.
It is whether or not you can successfully open the trusted database that
matters, not whether or not some program attempts the open. Anyone with
access to any program at all that accepts filenames has exactly the
same access to the shadow file as the shadow-utils program. That's the
whole point of a unix-like system: everything is a file and all the
access control magic has to do with whether or not you can open that file.
If you need to see the command options, look at the man page. That's what its
there for.
How do you deal with ifconfig which has obviously useful information for
ordinary users and potentially destructive capability for privileged
users?
--
Les Mikesell
lesmikesell@xxxxxxxxx
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
