[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More PATH fallout. Who decided this was a good idea?

On Saturday 06 December 2008 11:56:31 Jesse Keating wrote:
>  ordinary user cannot possibly use these tools since they do not have the
> > requisite permissions.
> Now I'm confused.  Why would the binary have to be suid?

Because if they didn't type --help, we are going to have to log the attempted 
compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be 
setuid root from the beginning or not at all.

> It seems that the cert folks have a different definition of "use" than
> we do.  A normal user should be able to use the binary to get help
> output, and the binary would be useful in path for things like tab
> completion leading up to a sudo call.

An unprivileged user cannot successfully use this utility. Just like tcpdump 
can't be used. The difference is that shadow-utils modifies a trusted database 
and tcpdump doesn't. 

If you need to see the command options, look at the man page. That's what its 
there for.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]