[ewg] Allowing ib dignostics to be run without being logged in as root.

Hal Rosenstock hal.rosenstock at gmail.com
Wed May 26 06:50:16 PDT 2010


On Tue, May 25, 2010 at 7:21 PM, Woodruff, Robert J
<robert.j.woodruff at intel.com> wrote:
> Hal wrote,
>
>>If you really want any user to do this, is changing umad permissions
>>sufficient ? This is less of a security hole than setuid but does open
>>things up for malicious users.
>
>>-- Hal
>
> I wanted to avoid doing this as it would allow some malicious user to
> just open /dev/umad and send random mads and cause big problems with the fabric.
>
> I was thinking that if the applications like perfquery are "trusted"
> to not allow someone to do anything malicious, then having them
> run as setuid root would not open a security hole ?

I don't know exactly how setuid programs are exploited to obtain
general root access but I've heard this.

> sudo sounds like if would allow them to run any command as root ID,
> which I think is a larger security hole than just setting the one
> or few trusted applications to setuid root. But then, I am not a
> security expert so I may not know all of the possible issues with
> setting a command to setuid root.

sudo can be configured for specific commands to be allowed to specific users.

-- Hal

>
> woody
>
>
> _______________________________________________
> ewg mailing list
> ewg at lists.openfabrics.org
> http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
>



More information about the ewg mailing list