[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] security risk... is this normal?

Subject: Re: [cobalt-users] security risk... is this normal?
From: Dmitry Alexeyev <dmi_a@xxxxxxxxxx>
Date: Mon Mar 1 11:34:00 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> > Look into /etc/rc.d/init.d/* - they are all 755.
> > And there's no risk
>
> Just because a distribution chooses to use insecure permissions and
> rights, doesn't mean there's no risk.

Having secure permission doesn't help to avoid all the risks. 

> RPMs don't have any such limitation; generally the programs being
> installed require RPM to be run as root, but RPM doesn't care.
>
> Generally if you're not root you can only uninstall something you've
> installed yourself, but again, that depends on permissions and
> rights.

Only root can install rpms. Nobody else. 

> > rpm -e could delete any package.
>
> Unless run by root, rpm -e can only delete a package installed by the
> user who installed it.

You can't install a package not being the root user. 
And you can't remove anything. 

Maybe modern rpm 4.3 in fedora 2b environment allows it, but that is not 
really smart. 

yes, you can build rpm from src.rpm in some systems, ALT Linux is one of 
them. But it can be installed only from root. 

>
> > Why setting it to 700? Well, someone may see what rpm package is
> > it, and so what?
>
> Why set what to 700?  The RPM executable?  Actually, on a RaQ that's
> probably a good idea.

Every rpm package is made from special 'spec' file. it has %files 
chapter, where you list all files this package has. 
If you want to force permissions, you say so. 


%files -f %{name}.lang
%defattr(-,root,root)

^ this macro select default permission/owners

%attr(2755,root,slocate) /usr/bin/slocate

^ this is particular executable

>
> The uninstallers.  Sure.  No problem.  Might not be much extra
> security, but it doesn't cause problems.

All uninstallers are handles by pkg files by the way... 

>
> While I agree with you here, there's certainly nothing wrong with
> keeping a system as secure as possible.
>
> > Restrict PHP & CGI!
>
> ...to the greatest extent possible without risking losing all your
> clients.

If you have PHP or CGI on a raq, you have instant root

WBR
Dmitry

Follow-Ups:
- Re: [cobalt-users] security risk... is this normal?
  - From: Jeff Lasman

References:
- [cobalt-users] raq550: starting clock...
  - From: > freitag lab. ag / nafroth
- Re: [cobalt-users] security risk... is this normal?
  - From: Dmitry Alexeyev
- Re: [cobalt-users] security risk... is this normal?
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-users] security risk... is this normal?
Next by Date: Re: [cobalt-users] security risk... is this normal?
Previous by thread: Re: [cobalt-users] Re: security risk... is this normal?
Next by thread: Re: [cobalt-users] security risk... is this normal?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index