/sbin:/usr/sbin in mortal's PATH

Horst von Brand vonbrand at inf.utfsm.cl
Mon May 8 19:47:33 UTC 2006 

Terje Bless <link at pobox.com> wrote:
> Horst von Brand <vonbrand at inf.utfsm.cl> wrote:
> >ifconfig(8) is not for luser consumption, and so are lots of others.

> `ifconfig` is _also_ for system administrators. Regular users — my
> Oracle DBAs, say —

Those aren't "regular users" by a /very/ long shot in my book.

>                     have a legitimate need to check the output of
> ifconfig on occasion; and I would just as soon not have to fiddle with
> paths or aliases for all those accounts on all the systems I administer.

Set up a generic .bashrc for those special accounts then...

> I also find it annoying that I either have to type the full path — 
> particularly as it means I have to remember which of
> /bin:/usr/bin:/sbin:/usr/sbin the utility in questions resides in — or
> become root just to check ifconfig output.

Use aliases.

> Utilities that serve a useful purpose for non-root users should by
> default be available in non-root users' path; if in no other way then at
> least by way of a symlink in the “unprivileged” directory.

They are in /bin and /usr/bin. What is in /sbin or /usr/sbin is /not/ for
regular user consumption. If they need it, they aren't regular users.

> Conversely, utilities that non-root users should not be allowed to use
> need to be protected in an effective manner;

... by permission to run only by selected user/group, by internal checks in
the utility, by permission checks in the kernel; where you /must/ rely
only on the last for real security, just exactly as this has worked from
day one (or thereabouts) in Unix...

>                                              and removing the directory
> from their path is not it. This isn't even security by obscurity, it's
> security by obtuseness.

It has nothing whatsoever to do with security, and everything with not
confusing random users with commands they can't use sensibly.
-- 
Dr. Horst H. von Brand                   User #22616 counter.li.org
Departamento de Informatica                     Fono: +56 32 654431
Universidad Tecnica Federico Santa Maria              +56 32 654239
Casilla 110-V, Valparaiso, Chile                Fax:  +56 32 797513

More information about the fedora-devel-list mailing list