1 |
Gentlemen, |
2 |
|
3 |
I mean no offense, but I think that this change detracts from both |
4 |
usability and security. We have to remember why setuid exists in the |
5 |
first place. It actually enhances security by discouraging the widely |
6 |
lamented practice of spending too much time as root. It is useless for |
7 |
us to say that users -shouldn't- do this. If they are inconvenienced, |
8 |
and they have the ability to, they will. The only realistic way to |
9 |
prevent workarounds to sidestep 'security' by normal users is to remove |
10 |
the perceived need to do so. |
11 |
|
12 |
After all, what is the biggest, gaping security hole in all *nix? |
13 |
Root. One account that can do basically anything, and which is sadly |
14 |
has often been required to do much of anything. The whole reason for |
15 |
setuid is to allow other users to -use- the system without doing this. |
16 |
|
17 |
From a distro/programmer point of view, it defeats the point to simply |
18 |
ship things with setuid off. Realistically, either people will simply |
19 |
enable it again (no gain, but annoyance) or start running lots of stuff |
20 |
as root (a palpable security loss). The real gain happens when you can |
21 |
create specialized user/group roles that can accomplish their tasks, |
22 |
much like the shadow user for reading /etc/shadow on some distributions. |
23 |
|
24 |
This may one day soon become moot as ACLs and the equivilant of Lids |
25 |
functionality breaks the monolithic root up into administrative roles. |
26 |
I see this as inevitable, and long overdue. This is one point where |
27 |
Windows has us beat right now. |
28 |
|
29 |
Besides, its unreasonable to assume that, (other than fixing known |
30 |
holes) you can really secure a system one program at a time. This is a |
31 |
case where top-down really is the best approach. If you are concerned, |
32 |
let traceroute be suid, but implement Lids. :) |
33 |
|
34 |
Just adding more cents, |
35 |
-David Isecke |
36 |
|
37 |
|
38 |
|
39 |
-- |
40 |
gentoo-security@g.o mailing list |