[ewg] Allowing ib dignostics to be run without being logged in as root.
Woodruff, Robert J
robert.j.woodruff at intel.com
Wed May 26 09:43:22 PDT 2010
If the application is statically linked and trusted, then, is there no security issue ?
-----Original Message-----
From: Informatix solutions [mailto:richard at informatix-sol.com]
Sent: Wednesday, May 26, 2010 9:30 AM
To: Woodruff, Robert J; 'Hal Rosenstock'
Cc: 'EWG'
Subject: RE: [ewg] Allowing ib dignostics to be run without being logged in as root.
The issue is that it is entirely dependent on the security integrity of the
application with the setuid bit set.
If someone can insert code, or swap a dynamically linked library with their
own alternative, it becomes possible to have your own code executed as root.
The system is then completely compromised.
-----Original Message-----
From: ewg-bounces at lists.openfabrics.org
[mailto:ewg-bounces at lists.openfabrics.org] On Behalf Of Woodruff, Robert J
Sent: 26 May 2010 17:19
To: Hal Rosenstock
Cc: EWG
Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in
as root.
Hal wrote,
>sudo can be configured for specific commands to be allowed to specific
users.
Then perhaps that is a safer way to do it, but it would put more work
on the system admin to set it up for people, but if setting the permissions
of the commands to setuid root opens up a security hole, we would not want
that.
Does anyone know if setting the permissions to setuid root does actually
open up a security hole ?
woody
_______________________________________________
ewg mailing list
ewg at lists.openfabrics.org
http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
More information about the ewg
mailing list