Bug#299007: base-files: Insecure PATH
On Sat, Mar 19, 2005 at 09:35:42PM +1100, psz@maths.usyd.edu.au wrote:
>Thanks for pointing those out! Add group tty also? All should be
>"squashed" (and the objects owned by root:root instead).
Hey, good idea! Why don't we ditch *all* the groups and have everything
groupt root!
That "src" group is *obviously* a security risk, it makes any user in
that group root-equiv since they can dick with /usr/src/linux...
Sheesh. Get a grip.
The various role groups are useful, and typically *increase* security
since they provide limited access to certain files/subtrees. Moreover
by default no user is placed into those groups.
Your argument is that exporting a writable / or /usr via NFS exposes you
to possible exploits? Then DON'T DO THAT.
Can you give a realistic example where one would *want* such an export?
Moreover one without all_squash?
NFS exports of /usr for diskless workstations are typically read-only,
and in such cases / is either also read-only or specific to the client.
--bod
Reply to: