Full Disclosure mailing list archives
Re: /bin/rm file access vulnerability
From: Valdis.Kletnieks () vt edu
Date: Sat, 01 Jan 2005 21:46:22 -0500
On Thu, 30 Dec 2004 12:52:23 -0400, Jerry said:
I have to agree with Shane on this. The whole point of the admin a.k.a root user is to have full control over everything. What's the point of that user if it can't delete of stop a set process when required if some user orphans something and can't get it back?
If you are in an environment that cares about security, one user having full control is a Bad Thing. And it's not just military sites either - one of the first rules of accounting and auditing is that if one person is writing checks, somebody *else* actually balances the books. One common enhancement in Unix systems for high security is splitting out what userids can run what commands, and getting rid of the "root" user entirely. So for instance, one userid may be able to run the backup and restore commands, but nothing else. Meanwhile, you might have a "sysadmin" userid that can kill processes and remove temp files - but which *cannot* alter the system auditing settings - so if the sysadmin does something they shouldn't, it's in the audit trail where it will be seen by the security admin.
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: /bin/rm file access vulnerability bkfsec (Dec 31)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability bkfsec (Jan 06)
- <Possible follow-ups>
- Re: /bin/rm file access vulnerability Sean Harlow (Dec 31)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability Jeffrey Denton (Dec 31)
- Re: /bin/rm file access vulnerability Frank Knobbe (Jan 02)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability Jerry (Jan 03)
- Re: /bin/rm file access vulnerability James Longstreet (Jan 01)
- Re: /bin/rm file access vulnerability Valdis . Kletnieks (Jan 04)
- Re: /bin/rm file access vulnerability Alex V. Lukyanenko (Jan 03)