[ewg] Allowing ib dignostics to be run without being logged in as root.

Woodruff, Robert J robert.j.woodruff at intel.com
Tue May 25 16:21:45 PDT 2010


Hal wrote,  

>If you really want any user to do this, is changing umad permissions
>sufficient ? This is less of a security hole than setuid but does open
>things up for malicious users.

>-- Hal

I wanted to avoid doing this as it would allow some malicious user to 
just open /dev/umad and send random mads and cause big problems with the fabric.

I was thinking that if the applications like perfquery are "trusted"
to not allow someone to do anything malicious, then having them 
run as setuid root would not open a security hole ?

sudo sounds like if would allow them to run any command as root ID,
which I think is a larger security hole than just setting the one
or few trusted applications to setuid root. But then, I am not a 
security expert so I may not know all of the possible issues with
setting a command to setuid root.

woody





More information about the ewg mailing list