[ewg] Allowing ib dignostics to be run without being logged in as root.

Justin Clift justin at salasaga.org
Wed May 26 09:51:53 PDT 2010 

On 05/27/2010 02:19 AM, Woodruff, Robert J wrote:
> Hal wrote,
>
>> sudo can be configured for specific commands to be allowed to specific users.
>
> Then perhaps that is a safer way to do it, but it would put more work
> on the system admin to set it up for people, but if setting the permissions
> of the commands to setuid root opens up a security hole, we would not want
> that.

 From an experienced SysAdmin perspective, the less setuid/setgid 
programs there are on a system the better.  If a system could have them 
*all* removed, that would be great. :)

Security types generally don't like them either, regarding them as a 
point of weakness due to circumventing finer grained access controls 
(sudo, ACLs, RBAC, etc).  setuid/setgid binaries are also included (and 
queried) in *every* system audit.

Good security practise will generally change the binaries back to being 
non-setuid/non-setgid (ie "normal" perms) unless there's a Very Good 
Reason for them to be otherwise.

I have personally had to secure/harden many *nix systems over the years, 
plus write detailed technical best practice guides for multi-national 
corporates on how to do it on more than one occasion.  Last time was in 
roughly 2006, and setuid/setgid stuff was regarded as bad old practise 
at that time.  I'd expect it would be even less favoured now.


> Does anyone know if setting the permissions to setuid root does actually
> open up a security hole ?

Not directly.  It just creates lots of secondary hassles for SysAdmins, 
Security Admins, policy enforcement software, and monitoring software 
because it introduces another vector for attack.

People having a need for setuid or setgid root for these binaries can 
most definitely do it themselves as part of their roll out.

Not sure if that perspective helps, but you do seem to be asking. :)

Regards and best wishes,

Justin Clift


> woody


-- 
Salasaga  -  Open Source eLearning IDE
               http://www.salasaga.org

More information about the ewg mailing list