[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] security risk... is this normal?

Subject: Re: [cobalt-users] security risk... is this normal?
From: Jeff Lasman <blists@xxxxxxxxxxxxx>
Date: Mon Mar 1 10:59:01 2004
Organization: nobaloney.net
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

On Monday 01 March 2004 10:35 am, Dmitry Alexeyev wrote:

> Since it is not setuid, where do you see security risks?
> Look into /etc/rc.d/init.d/* - they are all 755.
> And there's no risk

Just because a distribution chooses to use insecure permissions and 
rights, doesn't mean there's no risk.

There probably isn't much risk in the files in /etc/rc.d/init.d/, since 
they all run programs that once running as root can't be stopped by 
anyone but root.  But still I wouldn't set up a system that way.

> rpm can only access to it's base being the root user normally...

RPMs don't have any such limitation; generally the programs being 
installed require RPM to be run as root, but RPM doesn't care.

Generally if you're not root you can only uninstall something you've 
installed yourself, but again, that depends on permissions and rights.

> > ps - I noticed that a third-party installation of phpMyAdmin from
> > NuOnce was CORRECTLY set as 700 and root/root owner/group - thereby
> > removing the possibility that a non-permissioned user could cause
> > any problem.

And certainly you can change the other uninstallers to have the same 
rights/privileges/owner.

> rpm -qa gives you installed rpm list
> rpm -e could delete any package.

Unless run by root, rpm -e can only delete a package installed by the 
user who installed it.

> Why setting it to 700? Well, someone may see what rpm package is it,
> and so what?

Why set what to 700?  The RPM executable?  Actually, on a RaQ that's 
probably a good idea.

The uninstallers.  Sure.  No problem.  Might not be much extra security, 
but it doesn't cause problems.

> On the other hand all Raq stuff is so 'modern', so anybody
> expierenced a bit with a shell or php might get root in a couple of
> minutes on any raq. It's really easy.
> Restrict shell access!

While I agree with you here, there's certainly nothing wrong with 
keeping a system as secure as possible.

> Restrict PHP & CGI!

...to the greatest extent possible without risking losing all your 
clients.

Jeff
-- 
Jeff Lasman, nobaloney.net, P. O. Box 52672, Riverside, CA  92517 US
Professional Internet Services & Support / Consulting / Colocation
Our blists address used on lists is for list email only
Phone +1 909 324-9706, or see: "http://www.nobaloney.net/contactus.html";

Follow-Ups:
- Re: [cobalt-users] security risk... is this normal?
  - From: Greg Hewitt-Long
- Re: [cobalt-users] security risk... is this normal?
  - From: Dmitry Alexeyev

References:
- [cobalt-users] raq550: starting clock...
  - From: > freitag lab. ag / nafroth
- [cobalt-users] security risk... is this normal?
  - From: Greg Hewitt-Long
- Re: [cobalt-users] security risk... is this normal?
  - From: Dmitry Alexeyev

Prev by Date: Re: [cobalt-users] security risk... is this normal?
Next by Date: [cobalt-users] Zeffie Announcement for FREE RaQ4 whois pkg at http://www.zeffie.net/whois.html
Previous by thread: Re: [cobalt-users] security risk... is this normal?
Next by thread: Re: [cobalt-users] security risk... is this normal?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index