Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Root usage and applications

From: "Keenan Smith" <kc_smith () clark net>
Date: Fri, 11 Nov 2005 10:35:50 -0500
All,

Does anybody know about the "run as root" requirements of HP's OpenView?

I don't own the product but am evaluating a configuration for a client
and have been told that it has to run as root to work properly.

Since an application like OpenView is required to be available from
every node in a network, running it as root seems to me like a pretty
big vulnerability, if someone were to identify a hole and exploit it.

As a long-time application developer, I've found that requiring root
access usually means that the developer is lazy or at best, following
bad programming practices.

In general, what does the collective wisdom of the group say about
something like this?

Does any application require root access?  A firewall?  A network
management tool?  An authorization/authentication server?

And if it does, is it "really" required or is the requirement a result
of developers who don't want to or were not given the time to properly
code and configure the application to run as a user other than root?

Thoughts?

Thanks
Keenan
Previous By Date Next
Previous By Thread Next

Current thread: