On Monday 07 December 2015 08:38:28 you wrote: > Rainer Stratmann wrote: > > What works is an entry in the sudoers file. > > And then the program/script you can call with root rights. > > I hope this is for something that will only ever run on your own > machine, because unless you take a lot of precautions (hardcoding a set > of *absolute* paths to scripts that may be executed this way like > Michael mentioned can help, but only if you can guarantee none of these > locations can be overwritten, symlinked to somewhere else or substituted > through mounting), this is a security disaster waiting to happen.
I am aware of some security stuff. And I asked myself often to do more security. For example disabling ssh on the machine. And some more. But in some cases I need root acess. The location is secret and is deleted after the call. That's all I can do so far. Only this application runs on the machine. With 'setuid binary' I am not familiar. > A lot of security holes in various Unix-like OSes happen through abuse > of setuid helpers or helper programs executed as root. If you really > need to do something as root, having a small setuid binary that can only > do this one thing is much safer than invoking a general purpose shell > that can do anything. You can find a very basic overview of some issues > at > https://developer.apple.com/library/mac/documentation/OpenSource/Conceptual > /ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html . > > If everything mentioned there isn't completely obvious to you, please do > not distribute any program that invokes shell scripts as root before you > familiarise yourself very thoroughly with security at the Unix/shell > level. And even if it is, ask yourself whether there is no safer way to > achieve the same results. > > > Jonas > _______________________________________________ > fpc-pascal maillist - fpc-pascal@lists.freepascal.org > http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
