1 |
> Or to turn it around, on a user managed workstation its both |
2 |
> inconvenient and adds little to security. In fact, its easiest to just |
3 |
> keep a root window open and run it from there - which is insecure if |
4 |
> you walk away and leave it running. |
5 |
> |
6 |
> The point I am trying to make is that forcing useful tools to run as |
7 |
> root for everyone makes little sense on a user managed workstation |
8 |
> and can be counter-productive as above when users just work around |
9 |
> the restrictions in an insecure manner. |
10 |
|
11 |
If you produced a product, would you want it to be considered secure or |
12 |
insecure out of the box? I think anyone currently looking at the various |
13 |
worms and virii bombarding thier internet connections can answer that one. |
14 |
I personally would rather have a secure product. With Gentoo, who's theme |
15 |
is "totally configurable", the product will only be as insecure as you make |
16 |
it. |
17 |
|
18 |
> Perhaps a "secure_options" use flag to cater for those who work in |
19 |
> multiuser/insecure environments? I would rather not suffer an unusable |
20 |
> system because a few users have special requirements. |
21 |
|
22 |
I think we should call it the "insecure_worm-promoting_microsoftesc_options" |
23 |
use flag. Once again, typing sudo really isn't that big of an |
24 |
inconvienece. You could even write an alias for traceroute to |
25 |
exec "sudo /usr/sbin/traceroute". |
26 |
|
27 |
-bill |
28 |
> BillK |
29 |
> On Wed, 2003-12-17 at 09:16, Bill Moritz wrote: |
30 |
> > > SUID exploits are based on the premise that you've already access to |
31 |
> > > the system in question. If you don't trust people with accounts on |
32 |
> > > your system, they shouldn't have it. |
33 |
> > |
34 |
> > What about people that run shell servers? Should I have an interview |
35 |
> > process and a background check on anyone that wants to pay for access to |
36 |
my |
37 |
> > systems? |
38 |
> > |
39 |
> > > Just another $.02 |
40 |
> > > |
41 |
> > > -d |
42 |
> > |
43 |
> > -bill |
44 |
> > |
45 |
> > -- |
46 |
> > gentoo-security@g.o mailing list |
47 |
> |
48 |
> -- |
49 |
> gentoo-security@g.o mailing list |
50 |
------- End of Original Message ------- |
51 |
|
52 |
|
53 |
-- |
54 |
gentoo-security@g.o mailing list |