[ewg] Allowing ib dignostics to be run without being logged in as root.
Woodruff, Robert J
robert.j.woodruff at intel.com
Tue May 25 16:21:45 PDT 2010
Hal wrote,
>If you really want any user to do this, is changing umad permissions
>sufficient ? This is less of a security hole than setuid but does open
>things up for malicious users.
>-- Hal
I wanted to avoid doing this as it would allow some malicious user to
just open /dev/umad and send random mads and cause big problems with the fabric.
I was thinking that if the applications like perfquery are "trusted"
to not allow someone to do anything malicious, then having them
run as setuid root would not open a security hole ?
sudo sounds like if would allow them to run any command as root ID,
which I think is a larger security hole than just setting the one
or few trusted applications to setuid root. But then, I am not a
security expert so I may not know all of the possible issues with
setting a command to setuid root.
woody
More information about the ewg
mailing list