1 |
I'm trying to work out how many ways there are to increase the permissions of a user. |
2 |
|
3 |
1: su -: Needs root password and you need to be in the group "wheel". |
4 |
2: sudo: You need to be in the group "wheel" or in the /etc/sudoers file, using your own user password. |
5 |
I'm not counting gksu and gksudo they are just front ends. |
6 |
3: sudoedit: This is the best way to edit text files, it uses the same rules as sudo. |
7 |
|
8 |
4: Linux "Capabilities" or "caps": Which increases permissions on a per-file basis. e.g. removing SUID from ping and adding CAP_NET_RAW to ping. |
9 |
This is much safer than running the whole program as root. http://linux.die.net/man/7/capabilities |
10 |
|
11 |
5: Policykit: (Give this a read http://hal.freedesktop.org/docs/PolicyKit/introduction.html ) |
12 |
6: Polkit: Is the new name for Policykit, it's a higher version and they do not talk to each other. |
13 |
If you run a mixed architecture there is a good chance you will have both. |
14 |
|
15 |
7: Access Control Lists: (ACL) Very easy to setup and forget because Nautilus and others do not list the ACL settings. |
16 |
A remote windows user configuring a samba share could let more people read and write to it then Nautilus shows. |
17 |
|
18 |
8: SUID and SGID: One of the fastest ways to open up a security hole in your system. |
19 |
|
20 |
9: Groups: Lots of groups, but not much information on what permissions you get. http://en.gentoo-wiki.com/wiki/List_of_Groups |
21 |
Udev and Fuse use group settings right? |
22 |
|
23 |
Did I miss any way of increasing your rights? (not counting security holes) |
24 |
|
25 |
I see that the stable net-misc/iputils (ping) does not use capabilities. Is this included in the unstable version, or is it planned for the future? |
26 |
I wish there was a way to run gedit with sudoedit, is there? |
27 |
I think Polkit support for gedit is planned, does anyone know the bug number? |
28 |
|
29 |
Right now my system has all of the above but not Linux "capabilities". I'm having very hard time working out: |
30 |
Which users can do what and how. |
31 |
Which groups can do what and how. |
32 |
Which files can do what and who can run them. |
33 |
How the user's status affects what the program can do. |
34 |
|
35 |
Is there an all-in-one program for keeping track of all this or do I have to write one? |
36 |
|
37 |
It's very easy for users to set their home folder to other, read, write and execute. It's not just silly users doing that, but any program running with the users rights. |
38 |
There was a buggy program in Ubuntu which set your home folder to other rwx, I never worked out which one was doing that. |
39 |
A fast work around was to set the user's home folder to owner root and make sure that group was set to rwx. |
40 |
Is that safe? |
41 |
|
42 |
I'm very happy Gentoo user but I find that configuring things can get very messy. |