For our purposes, being root is fine. The only reason I even bother is that we nice the process being run in the script so that it has priority (we're dealing with a soft realtime system). If the user's not root, I'd rather have it fail with a graceful message than a permission denied.
-DMZ On Wed, 2005-10-12 at 12:08 -0400, Rob wrote: > On Wed, Oct 12, 2005 at 10:41:48AM -0400, Joe Barrett wrote: > > While Rob is completely right, you may also want to check if `id -g` == > > 0 as well. I'm not sure what purpose you're using the script for, but > > sometimes an intruder may add themselves to the root group instead of > > just giving themself the root account, to escape detection. And if no > > other reason, you never know when someone's odd setup may involve a > > non-root user in the root group. > > [this conv is moving OT; sorry ;-)] > > You've lost me Joe. > > Group root doesn't have much privileges: it can't open arbitary files, > bind low ports, etc... Why would an attacker add himself to group root > instead of a uid=0 account? The only thing about group root is there > might be programs that only people in group root can run and be setuid > (i.e., perm 4750 or similar), and a quick check on my system (Fedora 3), > such a thing doesn't exist. > > - Rob > . > > -- David Zakar <[EMAIL PROTECTED]>
