Forum: Cfengine Help Subject: Re: can not execute a user-only and non-root executable Author: santa Link to topic: https://cfengine.com/forum/read.php?3,21010,21070#msg-21070
In my case I find it strange. As a root user in a shell, I need to disable a service in /etc/inetd.conf , I edit it, comment lines (like login), and launch inetd -c for inetd to take changes into account. inetd being owned by bin. Being run by cfengine, the same operation is considered unsafe. So a standard HP-UX administration task to secure the system is unsecure ? That's a problem. But I'm ok that root-only commands being owned by bin is weird. Even as bin, I can not launch inetd -c . It's the system admin responsability to manage rights on scripts/binaries that he (or cfengine) launches. If he wants to be sure of these rights, why not force cfengine to change rights on some scripts/binaries he must launch ? A checksum could be managed by the sys admin into cfengine, for every script/binary launched. It would be in a secure configuration with a "flag" in a configuration file, maybe on a file per file basis . But I agree that the code seems to allow any script/binary with x right on other to be launched by cfengine. I've not thought about it before sauer's post. >From a security point of view that's a big problem, if we consider the goal of >this function is to check file is secure enough to be launched by cfengine. _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
