[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: FHS compliance and UNIX sockets



On Tue, Jan 30, 2001 at 12:14:07PM +1100, Herbert Xu wrote:
> 
> In that case, make ssh-agent setuid a new user who owns /var/run/ssh.
> Then ssh-agent can create a directory under it for the user invoking
> it and make it owned by that user.  The rest is trivial.

sorry but this is nuts, ssh-agent is not written to be a set[ug]id
program, making it setuid would be dangerous.  it probably would not
even function correctly.  

other then that all this accomplishes is giving the user evem more
write permission to /var then they already have.  this is Bad Thing
IMNSHO.  

the set[ug]id bit has been an endless source of security problems
forever, it should be used only when *absolutely necessary* and
ssh-agent does not even close to qualify as being absolutely
necessary.  The FHS is broken, fix the FHS.  

this also ignores the fact that gnome and whatnot have several
programs making use of sockets, do you propose we make all those
setuid as well?  

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpg5YlnGyEYT.pgp
Description: PGP signature


Reply to: