Re: PPP, Mount/Unmount

James Aylett wrote:

> On Wed, Aug 11, 1999 at 09:15:47AM -0600, Michael Dennis wrote:
> [Snip: Tom Gilbert's explanation]
> > So what you are saying is that root utilities such as software installation
> > should only be done via command line?
> I don't think anyone's saying this; however they _are_ saying that it's (a)
> difficult, and (b) inadvisable, to have a system whereby a normal user can
> run an installation program, have it prompt them for a root password, and
> then go on.
> Apologies if you already know the following ...
> Basically, the problem is that in order for this to happen, you have to have
> a program somewhere that is setuid root. Try this:
> $ ls -l `which su`
> -rwsr-xr-x   1 root     root         9512 Jun  2 14:59 /bin/su
> The 's' means that when run, /bin/su runs as root (which it needs to be able
> to do to do its job). However this is a potential security hole - anything
> that automatically runs as root, no matter which user invokes it, has the
> potential, if it has a certain type of bug in it, to enable _any_ user to
> run _any_ command as root - this is clearly a security problem.
> In order to get a graphical prompt asking for a password, practically
> speaking, needs a graphical program somewhere to be setuid root. While it's
> fairly easy to audit /bin/su to make sure it's secure (since it's not a very
> complex program), but graphical programs are always more complex and so it's
> much harder to check them.
> In particular, none of the GNOME libraries, as I understand it, have been
> audited for security, so if someone wrote a nice GNOME root-password-box
> thing, virtually everything it calls would have to be audited, which would
> take quite a while :-(
> > Maybe a su version of a graphical RPM installer which prompts you for your
> > root password would be nice?
> It might be, but it's a risk. There's a possibility someone can come up with
> a smart way of using su (or, more likely, something like sudo/fakeroot,
> which are designed to allow ordinary users to securely run other programs as
> root without those other programs needing to be setuid root) to allow this,
> of course. It's still got security issues, because the password as you type
> in will be pushed around at the very least the local system, which can be
> vulnerable ...
> Cheers,
> James
> --
> /--------------------------------------------------------------------------\
>   James Aylett                                 

I agree that we don't want to sacrifice Linux security for ease of use, but maybe
someone could come up with a creative way to deal with both.  My ideas obviously
don't cover every base but maybe they can stimulate some thought on something
that I think is a bit tricky for a novice user and that they commonly need to do.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]