Re: Apps that need SU

From: Stephanos Piperoglou <sp249 cam ac uk>
To: Lars Torben Wilson <torben coastnet com>
cc: "Mark Eaton (HeTTaR)" <hettar uq net au>, Gnome List <gnome-list gnome org>
Subject: Re: Apps that need SU
Date: Thu, 28 May 1998 13:44:03 +0100 (BST)

On 28 May 1998, Lars Torben Wilson wrote:

> "Mark Eaton \(HeTTaR\)" <hettar@uq.net.au> writes:
> 
> > I have found that there are a number of apps that you really need to run as
> > su. Logs thinges etc etc. I would be most exellent if apps such as this
> > could prompt for passwd or some such and run as su when you need to run
> > them.  I have to log in as root to run them because using xdm I can start
> > them from a terminal.
> > 
> > Is there any reason this type of thing shouldn't be implemented ??
> 
> Possibly a better solution would be a password wrapper and sudo.

sudo is the work of the devil. The proper way to do this is to have them
setuid 0 (or more often setgid 0 - things like logs and disk devices should
be accessible by group 0 - wheel or root, depending on which faction of that
holy war you're in).

I know the problem. In order to get GNOME running I installed RedHat to
replace my ageing Slackware system, and I'm slightly (though not overly)
impressed by it. Downside is I don't have access to things like /var/log/*,
/dev/cdrom and such as a normal user, though some fiddling with group
memberships and permissions solved it.

Problem with setuid/setgid programs is that they have to be secure. I think
this should be an option to configure with a SERIOUSLY VERBOSE WARNING
attached. Gnome is in development and there are bound to be holes sooner or
later.

I think the easiest way would be for some things to be disabled. If a user
doesn't have access to a file or device, the solution is to GIVE them
access, and that's not part of GNOME. Most people never log in as root when
they don't have to (though a lot of Linux newbies only log in as root!).
Let's not forget that, although most of us run Linux at home on our own PCs,
this *is* a multi-user system.

If the log viewer doesn't have access to the system logs, that means the
current user has no access to the system logs. Making logview suid root is
not the solution - it's a compromising hack. Fiddle with your permissions
and give them access, that's the way to do it. Any user that's also a system
administrator should also be part of group 0 (root on most Linux systems,
wheel on some others). That should solve the problem. Put it in the FAQ, but
don't compromise security.

-- Stephanos Piperoglou -- stephanos@internet.com ---------------------
Visit HTML with Style at              http://www.webreference.com/html/
   Every second Thursday a new tutorial on HTML and CSS, plus much,
    much more... for those who like to author Web pages with Style

Follow-Ups:
- Re: Apps that need SU
  - From: Matthew Kirkwood

References:
- Re: Apps that need SU
  - From: Lars Torben Wilson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]