2008/3/27 Jeff Spaleta <jspaleta@xxxxxxxxx>: > > > 2008/3/27 Jesse Keating <jkeating@xxxxxxxxxx>: > > > > > > > Again, this argument is bunk. If they're not supposed to be ran by > > normal users, hiding them behind a path is no form of security. One can > > just run the full path to it. If they're not supposed to be ran by > > users, they should have correct permissions on them, or they should > > check EUID of the caller before doing anything. > > > > > The question is, do we have programs down the sbins that make the wrong > assumption about path segregation equalling protection? And if so, how > many? The obvious ones to me that need scrutiny are the executables that > are setuid root. Do we need to take some extra care about those setuid'd > executables? > Not that I have run into.. the main thing is you need to make the path in the right order: /bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin. That way the console helper and other apps in /bin get called so they are asked "Do you want to su to do that" for the protected apps. -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
