Bug#299007: base-files: Insecure PATH

To: psz@maths.usyd.edu.au, 299007@bugs.debian.org
Cc: jbj@image.dk
Subject: Bug#299007: base-files: Insecure PATH
From: Bill Allombert <allomber@math.u-bordeaux.fr>
Date: Thu, 31 Mar 2005 01:26:05 +0200
Message-id: <[🔎] 20050330232605.GV30645@seventeen>
Reply-to: Bill Allombert <allomber@math.u-bordeaux.fr>, 299007@bugs.debian.org
In-reply-to: <[🔎] 200503302016.j2UKGkEZ003794@pisa.maths.usyd.edu.au>
References: <[🔎] 20050328223704.GA1086@jbj2.jbj.homelinux.com> <[🔎] 200503302016.j2UKGkEZ003794@pisa.maths.usyd.edu.au>

On Thu, Mar 31, 2005 at 06:16:46AM +1000, psz@maths.usyd.edu.au wrote:
> Group staff is an anachronism: its ownership of /home is "wrong". Its use
> and usefulness should be reviewed.

An anachromism ? What paradigm shift made it "wrong" ?

> Group staff is said to be useful "for helpdesk types or junior sysadmins",
> without warnings that it is in fact root-equivalent.

Who said that ?

sg staff -c make install
and 
su root -c make install

are very different security-wise. For once, the first will fail if we
mistakenly try to install in /usr instead of /usr/local.

> Use of root-equivalent users and groups may enlarge the attack surface.

There are a lot of them, though.

> If commonly used software allows breaching some security features, then
> the features need to be changed.

No security conscious person use NFS in a security sensitive context
anyway. 

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Reply to:

Follow-Ups:
- Bug#299007: base-files: Insecure PATH
  - From: psz@maths.usyd.edu.au

References:
- Bug#299007: base-files: Insecure PATH
  - From: Jakob Bohm <jbj@image.dk>
- Bug#299007: base-files: Insecure PATH
  - From: psz@maths.usyd.edu.au

Prev by Date: Bug#299007: base-files: Insecure PATH
Next by Date: Re: Policy for devfs support
Previous by thread: Bug#299007: base-files: Insecure PATH
Next by thread: Bug#299007: base-files: Insecure PATH
Index(es):
- Date
- Thread