Re: Security issue? Daemon users has to much rights...

[Jan Lühr <jluehr@gmx.net>]

Greetings,...

Am Samstag, 23. Oktober 2004 00:36 schrieb Michael Stone:
> On Fri, Oct 22, 2004 at 11:13:55PM +0200, Jan Lühr wrote:
> >Of course, providing security on that level is not the best way to ensure
> > the system's integrity and safety.
> >But why do you think, that security on filesystem level is doomed to
> > failure if it's part of a security concept?
>
> Because you haven't described a practical approach for implementing
> "allow all the users except lp to access mount" in a way which works for
> naive system administrators.

What do you expect here? Of course there is a tradional unix approach (groups 
-ugly one I admit - and a more clean approach using posix  acls). If defaults 
are setted in a senseful way, you can protect suid binaries from being used 
by the wrong users. What's wrong in that idea? As long as you grant right's - 
related to suid - on filesystem level, it's useful to restrict them on this 
level, too.
Sudo is another approach, but sudo makes things even more complicated. Do you 
think, deleting all root-suid bits and using sudo i a better approach for 
naive admins?

Keep smiling
yanosz