Re: [RFC] disabled root account / distinct group for users with administrative privileges
On Wed, 20 Oct 2010, Vincent Danjean <vdanjean.ml@free.fr> wrote:
> > How about the "root" group?
>
> This would hurt systems where umask is 002 (or 007) by default (the root
> group is the primary group of the root user with nobody else in it)
find / -gid 0 -perm /20 \! -type l
The above find command will discover some of the cases where access to the
root group will give direct access to interesting things. From a quick run on
a Squeeze system I noticed that with GID==0 you can apparently write directly
to all USB devices (/dev/bus/usb/*/* is writable).
However it would be nice if GID==0 wouldn't actually cause any problems and
it's good that GID==0 gets less write access to a Debian system than last time
I checked. There are too many people who write daemons that call setuid()
before calling setgid() to drop privileges...
--
russell@coker.com.au
http://etbe.coker.com.au/ My Main Blog
http://doc.coker.com.au/ My Documents Blog
Reply to: