Re: SUID weirdness

Mon, 24 Sep 2001 12:11:03 -0700 

Watch what you SUID root. You don't need to SUID traceroute since it
doesn't require root permissions, and you better leave sendmail well
enough alone. tcpdump probably doesn't work since there are other things
it depends on which must run as root. tcpdump, I think, sets the interface
into premiscuous mode which is probably why a simple SUID won't work.
Doesn't matter anyway since you shouldn't allow this kind of access to
regular users.

SUID'ing things can cause users to gain root access and render a system
useless. The permissions are on a system for a reason. Now, if your system
wasn't networked at all (and hence you wouldn't be SUID'ing network
utilities) then more power to you. Make a war box at will.

The most common SUID practice is with pppd, from my experience, which
shouldn't be SUID because users shouldn't have the ability to control
interfaces. Now I, on this system, am both a user and the admin. It's just
lazy to not log in as root and do my job as administrator.

That's my two cents :)

On Mon, 24 Sep 2001, Philip Rowlands wrote:

> I'm sure I'm missing something obvious here, but why can't tcpdump run
> SUID root?
>
> [root@dimebar sbin]# rpm -V tcpdump
> [root@dimebar sbin]# ll tcpdump
> -rwxr-xr-x    1 root     root       225564 Feb 14  2001 tcpdump
> [root@dimebar sbin]# chmod 4755 tcpdump
> [root@dimebar sbin]# ll tcpdump
> -rwsr-xr-x    1 root     root       225564 Feb 14  2001 tcpdump
> [root@dimebar sbin]# suspend
> [prowlands@dimebar sbin]$ ./tcpdump
> tcpdump: socket: Operation not permitted
> [prowlands@dimebar sbin]$ uname -a
> Linux dimebar 2.4.3-12 #1 Fri Jun 8 15:05:56 EDT 2001 i686 unknown
>
>
> Something to do with capabilities? I can't find anything special about
> sendmail and traceroute, but SUID root seems to work for them.
>
>
> Cheers,
>
> Phil
>
>
>
> _______________________________________________
> Seawolf-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/seawolf-list
>

-- 
-Statux



_______________________________________________
Seawolf-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/seawolf-list

Reply via email to