Bug#299007: base-files: Insecure PATH

To: 299007@bugs.debian.org, allomber@math.u-bordeaux.fr
Cc: jbj@image.dk
Subject: Bug#299007: base-files: Insecure PATH
From: psz@maths.usyd.edu.au
Date: Thu, 31 Mar 2005 10:40:36 +1000
Message-id: <[🔎] 200503310040.j2V0eam7024867@pisa.maths.usyd.edu.au>
Reply-to: psz@maths.usyd.edu.au, 299007@bugs.debian.org
In-reply-to: <[🔎] 20050330232605.GV30645@seventeen>

Bill Allombert <allomber@math.u-bordeaux.fr> wrote:

>> Group staff is an anachronism: its ownership of /home is "wrong". Its use
>> and usefulness should be reviewed.
> 
> An anachromism ? What paradigm shift made it "wrong" ?
> 
>> Group staff is said to be useful "for helpdesk types or junior sysadmins",
>> without warnings that it is in fact root-equivalent.
> 
> Who said that ?

Quoting from the original bug report:

  The Debian Reference [3] and Securing Debian Manual [4], [5] say

    [group] staff is ... for helpdesk types or junior sysadmins ... to do
    things in /usr/local and to create directories in /home.

    [group] staff: Allows users to add local modifications to the system
    (/usr/local, /home) without needing root privileges.

    The 'staff' group are usually help-desk/junior sysadmins, allowing them
    to work in /usr/local and create directories in /home. 

  (This is surely wrong, seems a SysV left-over: you need root privileges to
  chown user directories in /home or in fact to create users in /etc/passwd.)
  ...
  [3] http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s9.2.3
  [4] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.1
  [5] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.2

Re-wording. Group staff ownership of /home does not seem very useful, as it
only allows directories to be created but not chowned to the user. I guess
that this is a left-over from SysV times when anyone could chown.

The above quoted authoritative Debian references advertise the use of group
staff for semi-trusted users.

>> Use of root-equivalent users and groups may enlarge the attack surface.
> 
> There are a lot of them, though.

Noted. All the more enlargement.

>> If commonly used software allows breaching some security features, then
>> the features need to be changed.
> 
> No security conscious person use NFS in a security sensitive context
> anyway. 

Is this hearsay, common knowledge, or documented somewhere?

Please note that NFS was only an example how root-equivalent things become
an acute issue. (Admittedly my only current example: you rightfully would
not accept past sendmail bugs.)

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Reply to:

References:
- Bug#299007: base-files: Insecure PATH
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>

Prev by Date: Re: Policy for devfs support
Next by Date: Bug#250202: Standardizing make target for 'patch' and 'upstream-source'
Previous by thread: Bug#299007: base-files: Insecure PATH
Next by thread: Bug#299007: base-files: Insecure PATH
Index(es):
- Date
- Thread