Gentoo Archives: gentoo-security

From: Michael Reilly <michaelr@×××××.com>
To: Mark Guertin <guertin@××××××××××××××.com>
Cc: gentoo-security@g.o
Subject: Re: [gentoo-security] Changes to traceroute in newest release
Date: Tue, 16 Dec 2003 13:44:22
Message-Id: 20031216114310.68745326.michaelr@cisco.com
In Reply to: Re: [gentoo-security] Changes to traceroute in newest release by Mark Guertin
On Tue, 16 Dec 2003 13:33:07 -0500
Mark Guertin <guertin@××××××××××××××.com> wrote:

> On 16-Dec-03, at 1:16 PM, Michael Reilly wrote: > > >> Well, I can't speak for everyone else, but I certainly find the > >> changes > >> welcome. > > > > I find the change offensive. It is my system and I want the tools I > > install > > to work. There is no excuse for someone thinking they can force me to > > su > > every time I want to run traceroute. Of course the fix is obvious - > > chmod > > 4755 traceroute. > > > > Why isn't this a USE option? > > a USE option for this doesn't make a lot of sense in my mind .... think > about it. USE="suid" could be more like USE="hackmenow" ;) The trend > with security is to eliminate this sort of thing, not to encourage it.
Depends on how you view security and where you want to put your security. I much prefer an overall solution like selinux or rsbac and to some extent grsecurity. Making a single or few tools more difficult to use doesn't help security in the end.
> That said it's easy enough for you to chmod it, so maybe a simple ewarn > is in order for people that have this concern that they can chmod it if > they desire, but I agree that by default that less with these > permissions are better.
A warning would be useful. What I disagree with is someone silently making tools less useful without letting the person installing the tool and using the system know what is being done and not allowing an option to retain the functionality. michael
> > cfengine is the good stuff. Works on OSX too in case anyone cares :)
Thanks for the pointer to cfengine - I'll take a look.
> > Mark > > > -- > gentoo-security@g.o mailing list
-- ---- ---- ---- Michael Reilly michaelr@×××××.com Cisco Systems, Santa Cruz, CA -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Changes to traceroute in newest release Heikki Levanto <heikki@×××.dk>