Bug#299007: base-files: Insecure PATH
Bill Allombert <allomber@math.u-bordeaux.fr> wrote:
>> Group staff is an anachronism: its ownership of /home is "wrong". Its use
>> and usefulness should be reviewed.
>
> An anachromism ? What paradigm shift made it "wrong" ?
>
>> Group staff is said to be useful "for helpdesk types or junior sysadmins",
>> without warnings that it is in fact root-equivalent.
>
> Who said that ?
Quoting from the original bug report:
The Debian Reference [3] and Securing Debian Manual [4], [5] say
[group] staff is ... for helpdesk types or junior sysadmins ... to do
things in /usr/local and to create directories in /home.
[group] staff: Allows users to add local modifications to the system
(/usr/local, /home) without needing root privileges.
The 'staff' group are usually help-desk/junior sysadmins, allowing them
to work in /usr/local and create directories in /home.
(This is surely wrong, seems a SysV left-over: you need root privileges to
chown user directories in /home or in fact to create users in /etc/passwd.)
...
[3] http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s9.2.3
[4] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.1
[5] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.2
Re-wording. Group staff ownership of /home does not seem very useful, as it
only allows directories to be created but not chowned to the user. I guess
that this is a left-over from SysV times when anyone could chown.
The above quoted authoritative Debian references advertise the use of group
staff for semi-trusted users.
>> Use of root-equivalent users and groups may enlarge the attack surface.
>
> There are a lot of them, though.
Noted. All the more enlargement.
>> If commonly used software allows breaching some security features, then
>> the features need to be changed.
>
> No security conscious person use NFS in a security sensitive context
> anyway.
Is this hearsay, common knowledge, or documented somewhere?
Please note that NFS was only an example how root-equivalent things become
an acute issue. (Admittedly my only current example: you rightfully would
not accept past sendmail bugs.)
Cheers,
Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia
Reply to: