[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem of install tarball packages



On Fri, Sep 26, 2008 at 10:31:46AM -0700, Aldo Foot wrote:
> On Fri, Sep 26, 2008 at 10:13 AM, Craig White <craigwhite azapple com> wrote:
> > On Sat, 2008-09-27 at 01:10 +0800, edwardspl ita org mo wrote:
> >> Aldo Foot wrote:
> >>
> >> >On Fri, Sep 26, 2008 at 9:34 AM,  <edwardspl ita org mo> wrote:
> >> >
> >> >
> >> >>Dear All,
> >> >>
> >> >>How to config the sudo, then allow user A to install tarball packages with FC8 System ?
> >> >>
> >> >>
> >>
> >> >You use the 'visudo' command to edit the /etc/sudoers files.
> >> >Don't edit that file directly.
> >> >
> >> >see this /etc/sudoers sample
> >> >http://www.gratisoft.us/sudo/sample.sudoers
> >> >
> >> >'rpm' is just another command you add to the allowed commands.
> >> >so for example a the CLI: "sudo rpm -Uvh someRpm.rpm',
> >> >
> >> >~af
> >> >
> >> >
> >> >
> >> Hello Aldo,
> >>
> >> Sorry, my means is tarball packages ( NOT rpm packages )...
> > ----
> > users don't need superuser privileges to use tar at all UNLESS they are
> > trying to 'untar' into spaces where only superuser can write, in which
> > case, security is out the window.
> >
> > Craig
> 
> You're correct. How did I mix rpm and tar? My coffee was not strong
> enough this morning.. ;-)

And the same security issue exists for yum, rpm and cpio.

If I can run "sudo `rpm -Uvh anything" I can install 
anything I want including a new pass word file, bogus user
or other backdoor.



-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]