On Wed, Aug 27, 2003 at 09:13:51PM -0600, Jacob Anawalt wrote: > Bret Comstock Waldow wrote: > >On Wed, 2003-08-27 at 00:39, Kevin Mark wrote: > >>the script can not be accessed by anyone. it can only be called inside > >>the script which can only be run by a root user. So it doesnt see to be > >>security concern (but I'm not a security expert -- will the local guru > >>commment) > > > >I'll be interested to hear it too. In theory, there must be some reason > >it was put in the script in the first place... > > On my system the init.d scripts are o+rx, so anyone can read and execute > them, so the script itself doesn't provide protection. I didn't change > anything so I must assume this is the debian unstable default for > /etc/init.d/ scripts. The commands the script tries to execute, > iptables, iptables-save, iptables-root will not work from a normal user > account.
Yes. If you think about it: there's no point making the script unreadable by default, because anyone can download it from the Debian archive and read it there. Since it isn't set-id, there's no point not making it executable either, because anyone can just read it and execute the same commands from an interactive shell. If iptables worked as a non-root user, the security problem would be there, not in the calling script. In general I don't believe that there's ever any point making non-set-id scripts unreadable or unexecutable, except when they contain sensitive data. -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
