Gentoo Archives: gentoo-amd64

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-amd64@l.g.o
Subject: [gentoo-amd64] OT but something to think about (security and root paths)
Date: Sat, 21 Jun 2008 07:54:47
1 *ix vets should know this already, but I was thinking about it again
2 today, wondering how many sysadmin (and every Gentoo system user with
3 root access is effectively a sysadmin) newbies know it, thus this post.
5 No untrusted or non-root user should be able to set the path for root, or
6 write to any directories found in that path. If they can, or can
7 otherwise convince a root user to run an executable that they can write
8 to, they effectively already have root.
10 Something to think about when you are running as root. Do you ever as
11 root run scripts or other executables that a user has write access to?
12 Are your system permissions and root path setup appropriately so you
13 can't run them by default, perhaps when someone puts their own version of
14 something like ls earlier in your path than the system version?
16 Some cautious admins make it a practice to always use a full path when
17 invoking a command as root. That's a good practice, as far as it goes,
18 but to be really effective, they must ensure no scripts or other commands
19 they run as root, invoke anything else without full path either. That's
20 a tough one, even tougher than teaching yourself to always use a full
21 path, so not so many bother.
23 Who knows, maybe this will prevent someone reading it from getting
24 rooted. Like I said, I was just thinking about it, and decided it might
25 be something worth posting.
27 --
28 Duncan - List replies preferred. No HTML msgs.
29 "Every nonfree program has a lord, a master --
30 and if you use the program, he is your master." Richard Stallman
32 --
33 gentoo-amd64@l.g.o mailing list