It's better to be statically linked. However all setuid programs present a threat. The challenge as a security administrator is to assess and minimize the threat. Smaller programs where you can inspect and understand the program are more trustable than large complex programs.
Richard ----- Reply message ----- From: "Woodruff, Robert J" <[email protected]> Date: Wed, May 26, 2010 17:43 Subject: [ewg] Allowing ib dignostics to be run without being logged in as root. To: "[email protected]" <[email protected]>, "'Hal Rosenstock'" <[email protected]> Cc: "'EWG'" <[email protected]> If the application is statically linked and trusted, then, is there no security issue ? -----Original Message----- From: Informatix solutions [mailto:[email protected]] Sent: Wednesday, May 26, 2010 9:30 AM To: Woodruff, Robert J; 'Hal Rosenstock' Cc: 'EWG' Subject: RE: [ewg] Allowing ib dignostics to be run without being logged in as root. The issue is that it is entirely dependent on the security integrity of the application with the setuid bit set. If someone can insert code, or swap a dynamically linked library with their own alternative, it becomes possible to have your own code executed as root. The system is then completely compromised. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Woodruff, Robert J Sent: 26 May 2010 17:19 To: Hal Rosenstock Cc: EWG Subject: Re: [ewg] Allowing ib dignostics to be run without being logged in as root. Hal wrote, >sudo can be configured for specific commands to be allowed to specific users. Then perhaps that is a safer way to do it, but it would put more work on the system admin to set it up for people, but if setting the permissions of the commands to setuid root opens up a security hole, we would not want that. Does anyone know if setting the permissions to setuid root does actually open up a security hole ? woody _______________________________________________ ewg mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
_______________________________________________ ewg mailing list [email protected] http://lists.openfabrics.org/cgi-bin/mailman/listinfo/ewg
