Robert Connolly wrote: > On Sunday 27 August 2006 23:41, Randy McMurchy wrote: >> Robert Connolly wrote these words on 08/27/06 22:20 CST: >>> All I'm trying to say is that adding someone to group root should not be >>> exploitable, at least not without further misconfiguration. >> And all Bruce (as well as myself) is saying is that *nobody* should >> be added to the root group unless that person is trusted with root >> privileges. >> >> Robert, please name just *one* instance where an admin would add >> somebody to the root group, but wouldn't trust that person with root >> privileges. > > /root is 0750. Why would /root be readable by group root, but not > writtable? /etc/sudoers is also installed readable by group root, but not > writtable. These are just examples where someone in group root has > limited/calculated privileges. > >> Bottom line is that nobody should be added to the root group unless >> that person is a trusted user. > > I agree that only trusted users should be in group root, but being in > someones > group should not allow escalation to taking over the account. It undermines > the purpose of having groups.
Robert, I think you are missing the point. We aren't saying that the /bin/ping executable should have group write permissions. I think that is an oversight and should be changed. We are saying that it's not really a significant vulnerability. Yes, it could be used to escalate to a uid root by someone in the root group if the administrator is stupid and adds a user to the root group. It would also be stupid to `chmod -R o+w /bin`. We just can't stop every possible misconfiguration admins can make. In the security world, having a system binary as group write would flag a problem, but since the group should always be empty, it will be considered very minor. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
