On Sunday 27 August 2006 23:41, Randy McMurchy wrote: > Robert Connolly wrote these words on 08/27/06 22:20 CST: > > All I'm trying to say is that adding someone to group root should not be > > exploitable, at least not without further misconfiguration. > > And all Bruce (as well as myself) is saying is that *nobody* should > be added to the root group unless that person is trusted with root > privileges. > > Robert, please name just *one* instance where an admin would add > somebody to the root group, but wouldn't trust that person with root > privileges.
/root is 0750. Why would /root be readable by group root, but not writtable? /etc/sudoers is also installed readable by group root, but not writtable. These are just examples where someone in group root has limited/calculated privileges. > Bottom line is that nobody should be added to the root group unless > that person is a trusted user. I agree that only trusted users should be in group root, but being in someones group should not allow escalation to taking over the account. It undermines the purpose of having groups. > -- > Randy > > rmlscsi: [bogomips 1003.23] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3] > [GNU C Library stable release version 2.3.6] [Linux 2.6.14.3 i686] > 22:38:01 up 3 days, 7:08, 1 user, load average: 0.02, 0.02, 0.00
pgpZmY63DsI1U.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
