Re: Security issue? Daemon users has to much rights...
On Tue, Oct 26, 2004 at 10:33:20AM +0100, Duncan Simpson wrote:
I think groups might be enough here. Just remember group access does not
have be more than other access. I could create a gorup called nobin and
do something like
# chgrp nobin /bin
# chmod 705 /bin
# chgrp nobin /usr/sbin/some_daemon
# chmod g+s /usr/sbin/some_daemon
After this, unless the daemon runs as root, when shell code tries to
execute /bin/sh it fails due to lack of search permission on /bin. You
coulld apply similar moves to individual binaries if you prefer. The
magic here is that the setgid access us *less* thgan you normally have.
You can probably limit access by setuid to a special user too.
That's fairly ridiculous. You get the same effect (stopping kiddie
scripts) by doing something clever like moving /bin/sh to /bin/haha.
You've done a net nothing to actually improve security. If you do this
for all your daemons you'll actually reduce security by running all of
them with the same group (potentially allowing them to access each
other's data). It won't work at all on a daemon that runs in a specific
POSIX acl's would allow you to do more in this line before you needed a
wrapper program (which could set several access reducing groups, chroot,
etc). SElinux gets you even further from what I have heard but make it
easy to shoot yourself in the foot.
This also shoots yourself in the foot--it's ineffective as outlined, and
incredibly complex for a naive administrator to work with.