[plug] new linux user

Matt Kemner zombie at networx.net.au
Wed Sep 29 10:59:57 WST 1999


At 10:19 29/09/99 +0800, I muttered:

> >You should never make programs SUID-root if you can avoid it.

On Wed, 29 Sep 1999, Tony Clark wrote:

> In general I agree with the above, but for a home machine with only trusted
> users on the network, I'm not sure it makes much difference. 

Even for a home machine it's always a good idea to consider security
implications, and do things "right"

You never know when there is going to be another (for example)
netscape/irc client/news reader bug, allowing
people to execute what they want on your machine, as you (normal user) -
which means they are one step closer to root.

(actually it's for this reason I run netscape as a seperate user entirely,
so that if someone breaks in via netscape, all they can do is fiddle with
my bookmarks etc, not read my mail and stuff ;)

If you then provide SUID-root applications that have been provided by your
linux-distro as non-SUID for a reason, then you have given them the second
step needed to get root access to your machine. 

I'm not attacking you personally, Tony, I'm just trying to explain why
your advice wasn't the best option available.  "There is more than one way
to do it" and it always pays to consider the consequences of the way you
choose to do it.

 - Matt
P.S. If I seem overly paranoid about security issues, it's because I'm
paid to be. :)



More information about the plug mailing list