Re: Bug#4051: access permissions for /usr/bin/fdmount

[Ian Jackson <ian@chiark.chu.cam.ac.uk>]

Michael Meskes writes ("Re: Bug#4051: access permissions for /usr/bin/fdmount"):
> Ian Jackson writes:
...
> > Compiling names of groups or even worse group ids into binaries is a
> > bad idea.
> 
> Why? Because it's not easy to change? 

It's hard to change and obscure.  Policy is best implemented where it
can be seen.

>  I talked to Alain (upstream
> maintainer) about my changes and he's going to included them into 4.4. I
> don't see the problem right now, since you're able to put everyone in group
> floppy who shall be able to use fdmount. On the other hand this group coding
> (which is ifdef'ed btw so it's not much work to create a new version) adds
> security. How many systems have wrong permissions on some files? In
> particular a file with s.bit should be as secure as possible IMHO.

Obviously if you've done it right having the binary check itself
whether rgid or getgroups includes `floppy' and having it only
executable by group floppy have the same security effect.

However, there are other differences: having the permissions on the
binary do the enforcement means that a programming error of any kind
in the binary is at most an exposure to group floppy (which may well
be only the sysadmin anyway).  It also makes it much more obvious to
people how to get access.

...
> No problem Ian. But then I'm not so sure if it's a bug now.

We should either change fdmount to match the policy and the other
similar programs (dip, for example), or we should change the policy
and the other programs to match fdmount.

I think that using the file permissions is technically superior, so I
think we should stick with it.

Ian.