Re: Rationale
On Mon, 01 Dec 2003 21:08:34 +0000, Randy Orrison wrote:
> Paul Morgan wrote:
>> The key in any case is to protect your /usr/local... from anyone except
>> root writing to it, and also not to put current directory in root's path.
>
> Excellent idea. Too bad debian doesn't do that out of the box.
>
>> /usr/local... doesn't exist so non-admins can put commands in there; they
>> should be putting them in somewhere in their /home or in their apps
>> directories.
>
> I think the point here is that the default debian install leaves
> /usr/local/bin writable by group staff. This is an easy privilege
> escalation route, if someone gets a staff group account and drops
> replacement executables in /usr/local/bin.
>
> From the debian reference, section 9.2.3: "staff membership is useful
> for helpdesk types or junior sysadmins, giving them the ability to do
> things in /usr/local and to create directories in /home" -- would you
> trust them with root?
>
> No, root shouldn't have /usr/local/[s]bin in its path before the
> standard directories. If root wants customised binaries that override
> system standard ones, he should customise his path himself to include
> /root/bin and make sure no-one else has write access to it. You could
> probably make a case for root not having *any* directories *anywhere* in
> its path that are writable by anyone other than root.
>
> Randy
Default debian install creates no usr/local directories, at least it never
has for me.
Also, default debian installation does *not* put cwd in root's path.
And, note that the debian reference that you quoted doesn't say anything
about /usr/local/bin or sbin, just that they should be able to do things
in /usr/local. IMO /usr/local/bin and sbin are production directories and
nothing should go in there which hasn't gone through the site's normal
production QA and change/version control procedures, so root need be the
only person who writes in there, used by the version control manager,
maybe.
--
....................paul
"Reports that say that something hasn't happened are always interesting
to me, because as we know, there are known knowns; there are things we
know we know. We also know there are known unknowns; that is to say we
know there are some things we do not know. But there are also unknown
unknowns - the ones we don't know we don't know."
- Donald Rumsfeld, US Secretary of Defense, Winner of British Plain
English Campaign's 2003 "Foot in Mouth" award.
Reply to: