[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

בעניין: בעניין: p.s. (was: Re: Shutdown by a user)



The basic idea is that every such compilation is done by root user,
who is usually the administrator in each site. Is doesn't mean
that the root password is to be provided to a regular user - IT SHOULD NOT!

If a regular user gets the root password, there is no need to write setuid
programs or using sudo enabled commands? He can just invoke any
privileged command or modify the sudo control file, that is in text format.

In short, the key idea is, that both options should be controlled by the
root administrator and only him.

Avi

-----הודעה מקורית-----
מאת: guy keren <choo@actcom.co.il>
אל: netvision <avi@mbi.co.il>
עותק: N Sakthivel <svel@plasma.ernet.in>; ILUG <linux-il@linux.org.il>
תאריך: שבת 22 יולי 2000 21:25
נושא: Re: בעניין: p.s. (was: Re: Shutdown by a user)


>
>On Sat, 22 Jul 2000, netvision wrote:
>
>> You can shutdown by a user, by building a special program for that
purpose.
>> This program will use the 'setuid' command with userid root, and the
>> shutdown
>> command with it's flags can be hard coded, or get the flags as
parameters.
>
>the way you describe this - you ight as well give those users the root
>password, as your little program can be quite trivially fooled into
>running any code the user wants to. in general, one should NOT write suid
>programs without proper security checking. just as an example, one could
>use the LD_PRELOAD environment variable in order to load a library that
>defines 'system' as a function that simply spawns a shell and attaches its
>prompt to the user's terminal.
>
>no, sudo is better here.
>
>guy
>
>"For world domination - press 1,
> or dial 0, and please hold, for the creator." -- nob o. dy
>
>
>=================================================================
>To unsubscribe, send mail to linux-il-request@linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request@linux.org.il
>
>


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il