[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Popcon-developers] Bug#429405: Wrong usage of su in /etc/cron.weekly/popularity-contest (New bug)

Hash: SHA1

Hello Bill,

Am Mo den 18. Jun 2007 um 17:53 schrieb Bill Allombert:
> It is not the case on Debian by default:
> nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

That's true but it is not as save as I wanna have it on my systems. (All
system users on my system have /bin/sh if no special reason give other.)

> Furthermore the point of user nobody is to be able to run process
> that have no file access permission outside 'other' (since no files are
> owned by user or group nobody). If you preclude it from running
> programs, then this user is useless. If nobody does not have a default
> shell, every usage of 'su nobody' must hard-code a shell instead of
> following /etc/passwd. This is generally a bad thing. Only root can 'su
> nobody' anyway. 

That is incorrect. If you have to call something as nobody you know the
shell where it has to run under. Also I never ever want a normal user to
su to nobody at all! Moreover nobody has ever to run a interactive shell
as user nobody! So there is no need for a shell for this user. It is
only a security problem IF the user nobody has a shell and a server like
i.e. the webserver has a security flaw when running code as user nobody
the attacker has a shell for free (Sure with no home but there is other
places where also nobody can write to)! So never give nobody a shell.

By the way, also if I give him a shell, how can you be sure that calling
/bin/sh from this shell is allowed? Or maybe it has other syntax to call
such a shell.

And it is not useless at all as every cron job can use su -s /bin/sh (or
/bin/bash or /usr/bin/perl ... as you wish). This is also the case with
/etc/cron.weekly/popularity-contest. You still select a shell explicit.
Why not selecting it by "su -s /bin/sh" which is more clean and the
safest way?

> /etc/cron.weekly/popularity-contest is not the only script to use 
> 'su nobody' without -s.

Uh, its the only one I know 'till now. But that only as side comment,
popcon should be better as all other software of course. ;-)

Best Regards
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
Version: GnuPG v1.4.6 (GNU/Linux)


Reply to: