Re: Apps that need SU
- From: "Mark Eaton (HeTTaR)" <hettar uq net au>
- To: "Matthew Kirkwood" <weejock ferret lmh ox ac uk>
- Subject: Re: Apps that need SU
- Date: Fri, 29 May 1998 08:03:29 +1000
hey. I am a linux Newbie. I have been wondering about this precise topic for
awhile. I haven't been able to find any documentation on how best to set up
permissions. So I assumed you just ran things as su. Now that I am
enlightened:o) I will go in search once more of some documentation.
HeTTaR
M & D Eaton
hettar@uq.net.au
ICQ 1779385
...
-----Original Message-----
From: Matthew Kirkwood <weejock@ferret.lmh.ox.ac.uk>
To: Stephanos Piperoglou <sp249@cam.ac.uk>
Cc: Lars Torben Wilson <torben@coastnet.com>; Mark Eaton (HeTTaR)
<hettar@uq.net.au>; Gnome List <gnome-list@gnome.org>
Date: Friday, 29 May 1998 12:36 am
Subject: Re: Apps that need SU
>On Thu, 28 May 1998, Stephanos Piperoglou wrote:
>
>> > > I have found that there are a number of apps that you really need to
run as
>> > > su. Logs thinges etc etc. I would be most exellent if apps such as
this
>> > > could prompt for passwd or some such and run as su when you need to
run
>> > > them. I have to log in as root to run them because using xdm I can
start
>> > > them from a terminal.
>> >
>> > Possibly a better solution would be a password wrapper and sudo.
>>
>> sudo is the work of the devil. The proper way to do this is to have them
>> setuid 0 (or more often setgid 0 - things like logs and disk devices
should
>> be accessible by group 0 - wheel or root, depending on which faction of
that
>> holy war you're in).
>
>Eeek! The "make it suid because we can't be bothered to set it up
>properly" attitude is precisely what is beginning to put me off RedHat.
>A good case-in-point:
>
>RedHat 5.1 ships with a new version of xosview. The default install
>target in the Makefile seems to install it suid root, and it doesn't
>drop those privs at any stage. _One single grep_ was all that was
>required to find the line
>
> strcpy(nbuf, getenv("HOME"));
>
>(Variable names changed to protect the innocent) and a quick look at
>the source file in question found
>
> char nbuf[1024];
>
>on the preceding line. Linux has /proc precisely so that things like
>xosview don't need to be suid root. And it doesn't -- the suid stuff
>seems to be for FreeBSD.
>
>Similarly, a log viewer shouldn't be made suid root. Create a group
>(it's called logadm on our systems) and add adminstrators to it. If
>you _insist_ upon an s?id bit, then make the logs owned by a logadm
>user, not root.
>
>Rant, rant, rant.
>
>Matthew.
>
>
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]