| 1 |
Gentlemen, |
| 2 |
|
| 3 |
I mean no offense, but I think that this change detracts from both |
| 4 |
usability and security. We have to remember why setuid exists in the |
| 5 |
first place. It actually enhances security by discouraging the widely |
| 6 |
lamented practice of spending too much time as root. It is useless for |
| 7 |
us to say that users -shouldn't- do this. If they are inconvenienced, |
| 8 |
and they have the ability to, they will. The only realistic way to |
| 9 |
prevent workarounds to sidestep 'security' by normal users is to remove |
| 10 |
the perceived need to do so. |
| 11 |
|
| 12 |
After all, what is the biggest, gaping security hole in all *nix? |
| 13 |
Root. One account that can do basically anything, and which is sadly |
| 14 |
has often been required to do much of anything. The whole reason for |
| 15 |
setuid is to allow other users to -use- the system without doing this. |
| 16 |
|
| 17 |
From a distro/programmer point of view, it defeats the point to simply |
| 18 |
ship things with setuid off. Realistically, either people will simply |
| 19 |
enable it again (no gain, but annoyance) or start running lots of stuff |
| 20 |
as root (a palpable security loss). The real gain happens when you can |
| 21 |
create specialized user/group roles that can accomplish their tasks, |
| 22 |
much like the shadow user for reading /etc/shadow on some distributions. |
| 23 |
|
| 24 |
This may one day soon become moot as ACLs and the equivilant of Lids |
| 25 |
functionality breaks the monolithic root up into administrative roles. |
| 26 |
I see this as inevitable, and long overdue. This is one point where |
| 27 |
Windows has us beat right now. |
| 28 |
|
| 29 |
Besides, its unreasonable to assume that, (other than fixing known |
| 30 |
holes) you can really secure a system one program at a time. This is a |
| 31 |
case where top-down really is the best approach. If you are concerned, |
| 32 |
let traceroute be suid, but implement Lids. :) |
| 33 |
|
| 34 |
Just adding more cents, |
| 35 |
-David Isecke |
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
-- |
| 40 |
gentoo-security@g.o mailing list |
Archives