Re: More Debian v1.2 things...

To: Kevin Dalley <kevin@aimnet.com>
Cc: debian-devel@lists.debian.org
Subject: Re: More Debian v1.2 things...
From: Craig Sanders <cas@taz.net.au>
Date: Fri, 25 Oct 1996 14:50:29 +1000 (EST)
Message-id: <[🔎] Pine.LNX.3.95.961025144521.529L-100000@siva.taz.net.au>
In-reply-to: <[🔎] 87d8y874sj.fsf@aplysia.iway.aimnet.com>

On 24 Oct 1996, Kevin Dalley wrote:

> Yes, dpkg can only be run as root.  Generally, it is necessary to use
> the root password in order to run dpkg.  Running dpkg is limited to
> people who have the root password.  Craig Saunders suggested having a
> setuid root program for novices.  Unfortunately, having a setuid
> program means that anyone can install any program, included a setuid
> shell.  Having a root password is no longer necessary to do this.
> Thus the additional security risk.

that's why i said it should only be executable by those in a special
group (e.g. a group called 'dpkg').

The system admin would have to deliberately add a user to the group for
them to have the permission to run it.

in other words it is no more of a security hole than dpkg already is.
i.e. it's as insecure as the system admin chooses to make it.

Craig

--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com

Reply to:

Follow-Ups:
- Re: 'dpkg' and setuid
  - From: "Brian C. White" <bcwhite@verisim.com>

References:
- Re: More Debian v1.2 things...
  - From: Kevin Dalley <kevin@aimnet.com>

Prev by Date: Pthreads vs. GCC-GnuStep
Next by Date: Re: More Debian v1.2 things...
Previous by thread: Re: More Debian v1.2 things...
Next by thread: Re: 'dpkg' and setuid
Index(es):
- Date
- Thread