Re: setuid/setgid binaries contained in the Debian repository.

To: debian-devel@lists.debian.org
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Gunnar Wolf <gwolf@gwolf.cx>
Date: Mon, 11 Aug 2003 19:02:04 -0500
Message-id: <[🔎] 20030812000203.GX8838@gwolf.cx>
In-reply-to: <[🔎] 20030811230052.GA7475@molehole.dyndns.org>
References: <[🔎] 200308110945.50230.josef@ggzgamingzone.org> <[🔎] 20030811085650.GA17898@evbergen.xs4all.nl> <[🔎] 200308111234.00658.josef@ggzgamingzone.org> <[🔎] 20030811134149.GR23819@alcor.net> <[🔎] 20030811140338.GB7413@evbergen.xs4all.nl> <[🔎] 20030811143437.GB15143@alcor.net> <[🔎] 20030811161919.GB11157@evbergen.xs4all.nl> <[🔎] 20030811173121.GL15143@alcor.net> <[🔎] 20030811182645.GB20650@evbergen.xs4all.nl> <[🔎] 20030811230052.GA7475@molehole.dyndns.org>

Steve Greenland dijo [Mon, Aug 11, 2003 at 06:00:52PM -0500]:
> On 11-Aug-03, 13:26 (CDT), Emile van Bergen <emile-deb@evbergen.xs4all.nl> wrote: 
> > But fundamentally, there is no alternative. 
> 
> Sure there is. It's called "fine grained privileges" or somesuch, and
> allows you to assign a user or program a specific set of priviliges or
> capabilities needed to accomplish the task at hand. That way, when the
> program is exploited, you don't give away the farm the way you do with
> Unix's all-or-nothing root user. SELinux is one implementation of this
> idea, althugh it's hardly new.
> 
> And no, using specific users or groups for specific tasks is NOT
> equivalent, it's just the best we can do with the standard Unix security
> model.

Another very interesting -and IMHO more convenient- implementation of
this same idea is OpenBSD's Systrace - which has already been ported to
Linux, and is in fact present in Debian (check packages systrace,
kernel-patch-systrace and xsystrace).

Greetings,

-- 
Gunnar Wolf - gwolf@gwolf.cx - (+52-55)5630-9700 ext. 1366
PGP key 1024D/8BB527AF 2001-10-23
Fingerprint: 0C79 D2D1 2C4E 9CE4 5973  F800 D80E F35A 8BB5 27AF

Reply to:

References:
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Josef Spillner <josef@ggzgamingzone.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Josef Spillner <josef@ggzgamingzone.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Matt Zimmerman <mdz@debian.org>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Emile van Bergen <emile-deb@evbergen.xs4all.nl>
- Re: setuid/setgid binaries contained in the Debian repository.
  - From: Steve Greenland <steveg@moregruel.net>

Prev by Date: Re: setuid/setgid binaries contained in the Debian repository.
Next by Date: Relocation of Debian packages into home directories and such (Re: setuid/setgid binaries contained in the Debian repository.)
Previous by thread: Re: setuid/setgid binaries contained in the Debian repository.
Next by thread: Re: setuid/setgid binaries contained in the Debian repository.
Index(es):
- Date
- Thread