[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: More PATH fallout. Who decided this was a good idea?
- From: Chris Adams <cmadams hiwaay net>
- To: fedora-devel-list redhat com
- Subject: Re: More PATH fallout. Who decided this was a good idea?
- Date: Sat, 6 Dec 2008 19:59:44 -0600
Once upon a time, Steve Grubb <sgrubb redhat com> said:
> On Saturday 06 December 2008 00:55:24 Jesse Keating wrote:
> > These are required to be this way for our Common Criteria evaluations.
> >
> > Is the thought here that if the code can be executed by a non-root user,
> > the audit of the code would have to be far more strict?
>
> No, it has more to do with the fact that we have to audit all attempts to
> modify trusted databases - in this case, shadow. No one can use these tools
> since they do not have the permissions required to be successful. So, we
> remove the ability to use these tools so that we don't have to audit it.
>
> IOW, if we open the permissions, we need to make these become setuid root so
> that we send audit events saying they failed.
Then later, Steve Grubb <sgrubb redhat com> said:
> > So "cat >> /etc/shadow" is audited?
>
> Of course.
So cat will have to be setuid root so it can audit? What about echo,
bash, perl, etc.?
This is absurd.
--
Chris Adams <cmadams hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]