[ewg] Allowing ib dignostics to be run without being logged in as root.

richard@informatix-sol.com richard at informatix-sol.com
Wed May 26 12:52:54 PDT 2010 

It's better to be statically linked. However all setuid programs present a threat. The challenge as a security administrator is to assess and minimize the threat. Smaller programs where you can inspect and understand the program are more trustable than large complex programs.

Richard

----- Reply message -----
From: "Woodruff, Robert J" <robert.j.woodruff at intel.com>
Date: Wed, May 26, 2010 17:43
Subject: [ewg] Allowing ib dignostics to be run without being logged in as root.
To: "richard.croucher at informatix-sol.com" <richard.croucher at informatix-sol.com>, "'Hal Rosenstock'" <hal.rosenstock at gmail.com>
Cc: "'EWG'" <Openfabrics-ewg at openib.org>


If the application is statically linked and trusted, then,  is there no security issue ? 

-----Original Message-----
From: Informatix solutions [mailto:richard at informatix-sol.com] 
Sent: Wednesday, May 26, 2010 9:30 AM
To: Woodruff, Robert J; 'Hal Rosenstock'
Cc: 'EWG'
Subject: RE: [ewg] Allowing ib dignostics to be run without being logged in as root.

The issue is that it is entirely dependent on the security integrity of the
application with the setuid bit set.
If someone can insert code, or swap a dynamically linked library with their
own alternative, it becomes possible to have your own code executed as root.
The system is then completely compromised.

-----Original Message-----
From: ewg-bounces at lists.openfabrics.org
[mailto:ewg-bounces at lists.openfabrics.org] On Behalf Of Woodruff, Robert J
Sent: 26 May 2010 17:19
To: Hal Rosenstock
Cc: EWG
Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in
as root.

Hal wrote,

>sudo can be configured for specific commands to be allowed to specific
users.

Then perhaps that is a safer way to do it, but it would put more work
on the system admin to set it up for people, but if setting the permissions
of the commands to setuid root opens up a security hole, we would not want
that.

Does anyone know if setting the permissions to setuid root does actually
open up a security hole ?

woody

 
_______________________________________________
ewg mailing list
ewg at lists.openfabrics.org
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openfabrics.org/pipermail/ewg/attachments/20100526/b70a1dd1/attachment.html>

More information about the ewg mailing list