| 1 |
I'm trying to work out how many ways there are to increase the permissions of a user. |
| 2 |
|
| 3 |
1: su -: Needs root password and you need to be in the group "wheel". |
| 4 |
2: sudo: You need to be in the group "wheel" or in the /etc/sudoers file, using your own user password. |
| 5 |
I'm not counting gksu and gksudo they are just front ends. |
| 6 |
3: sudoedit: This is the best way to edit text files, it uses the same rules as sudo. |
| 7 |
|
| 8 |
4: Linux "Capabilities" or "caps": Which increases permissions on a per-file basis. e.g. removing SUID from ping and adding CAP_NET_RAW to ping. |
| 9 |
This is much safer than running the whole program as root. http://linux.die.net/man/7/capabilities |
| 10 |
|
| 11 |
5: Policykit: (Give this a read http://hal.freedesktop.org/docs/PolicyKit/introduction.html ) |
| 12 |
6: Polkit: Is the new name for Policykit, it's a higher version and they do not talk to each other. |
| 13 |
If you run a mixed architecture there is a good chance you will have both. |
| 14 |
|
| 15 |
7: Access Control Lists: (ACL) Very easy to setup and forget because Nautilus and others do not list the ACL settings. |
| 16 |
A remote windows user configuring a samba share could let more people read and write to it then Nautilus shows. |
| 17 |
|
| 18 |
8: SUID and SGID: One of the fastest ways to open up a security hole in your system. |
| 19 |
|
| 20 |
9: Groups: Lots of groups, but not much information on what permissions you get. http://en.gentoo-wiki.com/wiki/List_of_Groups |
| 21 |
Udev and Fuse use group settings right? |
| 22 |
|
| 23 |
Did I miss any way of increasing your rights? (not counting security holes) |
| 24 |
|
| 25 |
I see that the stable net-misc/iputils (ping) does not use capabilities. Is this included in the unstable version, or is it planned for the future? |
| 26 |
I wish there was a way to run gedit with sudoedit, is there? |
| 27 |
I think Polkit support for gedit is planned, does anyone know the bug number? |
| 28 |
|
| 29 |
Right now my system has all of the above but not Linux "capabilities". I'm having very hard time working out: |
| 30 |
Which users can do what and how. |
| 31 |
Which groups can do what and how. |
| 32 |
Which files can do what and who can run them. |
| 33 |
How the user's status affects what the program can do. |
| 34 |
|
| 35 |
Is there an all-in-one program for keeping track of all this or do I have to write one? |
| 36 |
|
| 37 |
It's very easy for users to set their home folder to other, read, write and execute. It's not just silly users doing that, but any program running with the users rights. |
| 38 |
There was a buggy program in Ubuntu which set your home folder to other rwx, I never worked out which one was doing that. |
| 39 |
A fast work around was to set the user's home folder to owner root and make sure that group was set to rwx. |
| 40 |
Is that safe? |
| 41 |
|
| 42 |
I'm very happy Gentoo user but I find that configuring things can get very messy. |
Archives