[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFC] disabled root account / distinct group for users with administrative privileges



On Wed, 20 Oct 2010, Vincent Danjean <vdanjean.ml@free.fr> wrote:
> > How about the "root" group?
> 
> This would hurt systems where umask is 002 (or 007) by default (the root
> group is the primary group of the root user with nobody else in it)

find / -gid 0 -perm /20 \! -type l

The above find command will discover some of the cases where access to the 
root group will give direct access to interesting things.  From a quick run on 
a Squeeze system I noticed that with GID==0 you can apparently write directly 
to all USB devices (/dev/bus/usb/*/* is writable).

However it would be nice if GID==0 wouldn't actually cause any problems and 
it's good that GID==0 gets less write access to a Debian system than last time 
I checked.  There are too many people who write daemons that call setuid() 
before calling setgid() to drop privileges...

-- 
russell@coker.com.au
http://etbe.coker.com.au/          My Main Blog
http://doc.coker.com.au/           My Documents Blog


Reply to: