Forum: Cfengine Help Subject: Re: can not execute a user-only and non-root executable Author: sauer Link to topic: https://cfengine.com/forum/read.php?3,21010,21057#msg-21057
mark Wrote: ------------------------------------------------------- > If cfengine would execute a file that were > writable by a non-root user, then in principle any > user might be given the power of root merely ny > writing a script. This is a way of "approving" > scripts for run by root. But that's not what the code above says. The above code just checs to see if the user is the same as the cfengine user and the user execute bit is set, then if the world execute bit is set, and then if the group execute bit is set and the current user is in the group which owns the file. Excluding the ability to execute binaries which are writeable by the group would be an excessive security measure which would badly cripple cfengine's ability to operate; there are *plenty* of appropriate uses for group-writeable programs to be executed by a root process. IMHO, (ignoring sudoedit) it'd be far better to have a group of admin users able to edit a script under the permissions of their own account rather than switching to root in order to edit an administrative script - the less time a human spends as root, the better. :) Besides, someone must configure the root process (Cfengine) to execute the script, and if they have the power to write arbitrary Cfengine code, then they also have the ability to just change the owner of a script to root before executing it - and change it back afterwards, if they're feeling devious. In any event, the behavior coded above doesn't match the behavior of /bin/sh (ksh88) on an ia64 HP-UX 11.23 system, and I'd be inclined to use the shell as the prototype for this kind of thing. I just touched an empty file, and the shell's -x test returns true for root regardless of the owner or group on the file, and regardless of whether the permissions are 0544, 0454, or 0445. If the permissions are 0444, the -x test returns false. Perl does the same thing. Since that matches reality - root can execute anything which has any execute bit set (ignoring things like SELinux) - it seems reasonable that Cfengine would follow that paradigm. I can certainly appreciate the desire to avoid making exceptions in the code, but this situation seems to me like a worthwhile place to consider making an exception. :) _______________________________________________ Help-cfengine mailing list Help-cfengine@cfengine.org https://cfengine.org/mailman/listinfo/help-cfengine
