[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] security risk... is this normal?

Subject: Re: [cobalt-users] security risk... is this normal?
From: Dmitry Alexeyev <dmi_a@xxxxxxxxxx>
Date: Mon Mar 1 11:35:01 2004
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

>
> As Jeff pointed out, the uninstaller scripts.  The potential problem
> I see is uninstaller scripts with rm commands in them - these are
> currently able to be run by any shell enabled user - while package
> default installers *SHOULD* set their data folders to be correctly
> permissioned to prevent accidental removal but just anyone, it
> doesn't mean they are, or remain that way.  Running the script by a
> non-permissioned user should error all the way - at least you HOPE it
> does.  What if the rm has a -r and you have a couple of files in
> there with incorrectly set permission, either by installer screw
> up,or subsequent admin mis-hap.

What accident removing you are talking about? 
rpm -e removes packages. 
Nothing more is used by uninstallers, well if they are not brain 
damaged. 
RPM can't remove anything, while it haven't set database lock. 
If you are not root, you can't lock database. 
So, you get error. Permission denied. Just as expected.

>
> I'm in the process of training another staff member to admin these
> boxes - I remember nearly 20 years ago screwing up a box completely
> BY ACCIDENT - I don't want that to happen again on one of our boxes!

Do not work as root. 

> > > On the other hand all Raq stuff is so 'modern', so anybody
> > > expierenced a bit with a shell or php might get root in a couple
> > > of minutes on any raq. It's really easy.
> > > Restrict shell access!
> >
> >While I agree with you here, there's certainly nothing wrong with
> >keeping a system as secure as possible.
>
> While I agree that there are many clients out there who should not
> have shell access, there are others who demand it.  I'm not doing
> away with shell access - I am trying to lock down my permissions
> without changing the business model.

And that's right, but there's no point in restricting access to 
uninstallers, cause rpm already cares about it.
To feel yourself happy, you may restrict rpm access, so no uninstallers 
won't ever try to work.


WBR,
Dmitry

Follow-Ups:
- Re: [cobalt-users] security risk... is this normal?
  - From: Greg Hewitt-Long

References:
- [cobalt-users] raq550: starting clock...
  - From: > freitag lab. ag / nafroth
- Re: [cobalt-users] security risk... is this normal?
  - From: Jeff Lasman
- Re: [cobalt-users] security risk... is this normal?
  - From: Greg Hewitt-Long

Prev by Date: Re: [cobalt-users] security risk... is this normal?
Next by Date: Re: [cobalt-users] security risk... is this normal?
Previous by thread: Re: [cobalt-users] security risk... is this normal?
Next by thread: Re: [cobalt-users] security risk... is this normal?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index