/sbin:/usr/sbin in mortal's PATH
Horst von Brand
vonbrand at inf.utfsm.cl
Mon May 8 19:47:33 UTC 2006
Terje Bless <link at pobox.com> wrote:
> Horst von Brand <vonbrand at inf.utfsm.cl> wrote:
> >ifconfig(8) is not for luser consumption, and so are lots of others.
> `ifconfig` is _also_ for system administrators. Regular users â my
> Oracle DBAs, say â
Those aren't "regular users" by a /very/ long shot in my book.
> have a legitimate need to check the output of
> ifconfig on occasion; and I would just as soon not have to fiddle with
> paths or aliases for all those accounts on all the systems I administer.
Set up a generic .bashrc for those special accounts then...
> I also find it annoying that I either have to type the full path â
> particularly as it means I have to remember which of
> /bin:/usr/bin:/sbin:/usr/sbin the utility in questions resides in â or
> become root just to check ifconfig output.
Use aliases.
> Utilities that serve a useful purpose for non-root users should by
> default be available in non-root users' path; if in no other way then at
> least by way of a symlink in the âunprivilegedâ directory.
They are in /bin and /usr/bin. What is in /sbin or /usr/sbin is /not/ for
regular user consumption. If they need it, they aren't regular users.
> Conversely, utilities that non-root users should not be allowed to use
> need to be protected in an effective manner;
... by permission to run only by selected user/group, by internal checks in
the utility, by permission checks in the kernel; where you /must/ rely
only on the last for real security, just exactly as this has worked from
day one (or thereabouts) in Unix...
> and removing the directory
> from their path is not it. This isn't even security by obscurity, it's
> security by obtuseness.
It has nothing whatsoever to do with security, and everything with not
confusing random users with commands they can't use sensibly.
--
Dr. Horst H. von Brand User #22616 counter.li.org
Departamento de Informatica Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria +56 32 654239
Casilla 110-V, Valparaiso, Chile Fax: +56 32 797513
More information about the fedora-devel-list
mailing list