Most of the programs which run as root don't need to even with their current
design. All it would take is a few 'chown's, a few configuration file edits,
and you're set. Hence, many times this problem is a configuration error
instilled by software vendors and distributors. Other programs must run as
root to keep their current design, which is indeed unacceptable for the most
part.
Personally, i believe that running files as their own separate user is not good
enough; if at all possible, services should be in their own chroot()'ed
environment. There is no excuse for named to run either as root or
system-wide. There is no excuse for database servers to run either as root or
system-wide. Most of these programs which are commonly used by crackers to
fully compromise systems can be reasonably secured as-is, without even doing a
major rewrite (though a major rewrite would obviously be the best COA for the
program authors if they wish to provide real security).
Why are so many distributors so oblivious to this? Hell, i've replaced about
70% of the total software on our solaris machines (including all setuid files,
and virtually all daemons), and modified most of the replacements. Redhat
distributions aren't really any better (which is only one reason i refuse to
work with a redhat distribution of linux)....
Sigh... it really is so hard to find good software these days....
ari
[EMAIL PROTECTED] said this stuff:
> Pavel Kankovsky writes:
> > Damned omnipotent root. I hate unix.
>
> Well, my feeling is that Unix is well designed. It's just the
> programs that surround it that are not. First, I'd start with most
> programs written at BSD, and throw them out as "a nice try" by some
> undergraduates. I've already thrown out the programs *I* wrote as an
> undergraduate. I see no particular reason to worship anything in the
> BSD. BTW, Linus feels the same way, which is why you have to fsync "."
> if you want information to be written into ".".
>
> For example, the standard printing system (lpd/lpr/lpq) runs as root.
> Bad idea. No reason for it. Run it under its own userid. That's how
> CUPS does it.
>
> That's how everything should be done under Unix -- as its own userid.
> Other operating systems have Access Control Lists, which let you split
> up permissions in a fine-grained manner. Unix uses userids, group
> membership, and file ownership, groups, and permissions to achieve the
> same result. If you don't do this because there's "no reason for all
> those users", as Weitse Venema told me, then when you get a security
> breach in one part of your system, it spreads out over the whole
> system.
>
> --
> -russ nelson <[EMAIL PROTECTED]> http://russnelson.com
> Crynwr sells support for free software | PGPok | "Ask not what your country
> 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
