[plug] new linux user

Tony Clark tony at ballist.net.au
Wed Sep 29 15:29:32 WST 1999 

At 10:59 29/09/99 +0800, you wrote:
>At 10:19 29/09/99 +0800, I muttered:
>
>> >You should never make programs SUID-root if you can avoid it.
>
>On Wed, 29 Sep 1999, Tony Clark wrote:
>
>> In general I agree with the above, but for a home machine with only trusted
>> users on the network, I'm not sure it makes much difference. 
>
>Even for a home machine it's always a good idea to consider security
>implications, and do things "right"

What is right depends on the application, enviroment and the skill level of
the person starting, otherwise we would all run windows and be done with it
 :)

>
>You never know when there is going to be another (for example)
>netscape/irc client/news reader bug, allowing
>people to execute what they want on your machine, as you (normal user) -
>which means they are one step closer to root.

We where talking about minicom here.  Unless it is being used to start a
ppp session because chat can take a little getting use to and it doesn't
have some fancy script to allow remote access, it should not be a security
hazard.

>(actually it's for this reason I run netscape as a seperate user entirely,
>so that if someone breaks in via netscape, all they can do is fiddle with
>my bookmarks etc, not read my mail and stuff ;)

I find not turning the computer on at all is almost the best form of
security.   Only bettered by not having one at all.  Then no one can steal
root access  :)

>
>If you then provide SUID-root applications that have been provided by your
>linux-distro as non-SUID for a reason, then you have given them the second
>step needed to get root access to your machine. 

chmod 000 soon fixes up those security holes.

>
>I'm not attacking you personally, Tony, I'm just trying to explain why
>your advice wasn't the best option available.  "There is more than one way
>to do it" and it always pays to consider the consequences of the way you
>choose to do it.

No attack taken...I off fishing now  :)


Tony Clark
HDL Electronics Pty Ltd
Contract VHDL, FPGA, ASIC and electronic design services
Mobiles: Australia 61 411 577 715  Hong Kong 852 9616 9716

More information about the plug mailing list