[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: More PATH fallout. Who decided this was a good idea?



Steve Grubb wrote:
On Saturday 06 December 2008 11:56:31 Jesse Keating wrote:
 ordinary user cannot possibly use these tools since they do not have the

requisite permissions.
Now I'm confused.  Why would the binary have to be suid?

Because if they didn't type --help, we are going to have to log the attempted compromise. Sending an audit event requires CAP_AUDIT_WRITE. You have to be setuid root from the beginning or not at all.

OK, so log it. Why do we care? If someone thinks that typing a program name is an attempted compromise they are so far wrong already that nothing else you can do will help.

It seems that the cert folks have a different definition of "use" than
we do.  A normal user should be able to use the binary to get help
output, and the binary would be useful in path for things like tab
completion leading up to a sudo call.

An unprivileged user cannot successfully use this utility. Just like tcpdump can't be used. The difference is that shadow-utils modifies a trusted database and tcpdump doesn't.

It is whether or not you can successfully open the trusted database that matters, not whether or not some program attempts the open. Anyone with access to any program at all that accepts filenames has exactly the same access to the shadow file as the shadow-utils program. That's the whole point of a unix-like system: everything is a file and all the access control magic has to do with whether or not you can open that file.


If you need to see the command options, look at the man page. That's what its there for.

How do you deal with ifconfig which has obviously useful information for ordinary users and potentially destructive capability for privileged users?

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]