1 |
On 11/05/2017 01:49, Adam Carter wrote: |
2 |
> I want to allow some fairly well trusted users the ablilty to do traces |
3 |
> with icmp. I can give them sudo, but how high is the risk of making |
4 |
> traceroute suid root? AFAIK making text editors or anything that has an |
5 |
> ability to run shell commands suid root is effectively giving them root |
6 |
> access, but other than exploiting vulnerabilities in traceroute itself, |
7 |
> are there any other issues? |
8 |
|
9 |
You have at least 3 approaches |
10 |
|
11 |
1. suid root. If you err on the side of the binary probably being OK, |
12 |
you will probably be fine. I don't know of any issues with traceroute, I |
13 |
have many systems where it ships suid root without issue (like ping) |
14 |
|
15 |
2. sudo, which frankly is a monumental PITA to maintain - it tends to |
16 |
grow and bloat and the syntax isn't easy to parse in your mind. It also |
17 |
doesn't let you give users access to a certain thing, you have to come |
18 |
up with all the commands that do that, then figure out a regex that |
19 |
matches what you want and nothing you don't want. A real PITA |
20 |
|
21 |
3. Capabilities, like John said. Ideally this is what you really want. |
22 |
User's can't run traceroute because they can't open raw sockets. |
23 |
Capabilities let you give them that permission, deftly avoiding |
24 |
questions as to the vuln status of the traceroute binary |
25 |
|
26 |
-- |
27 |
Alan McKinnon |
28 |
alan.mckinnon@×××××.com |