On Thu, Mar 31, 2005 at 06:16:46AM +1000, <email address hidden> wrote:
> Group staff is an anachronism: its ownership of /home is "wrong". Its use
> and usefulness should be reviewed.
An anachromism ? What paradigm shift made it "wrong" ?
> Group staff is said to be useful "for helpdesk types or junior sysadmins",
> without warnings that it is in fact root-equivalent.
Who said that ?
sg staff -c make install
and
su root -c make install
are very different security-wise. For once, the first will fail if we
mistakenly try to install in /usr instead of /usr/local.
> Use of root-equivalent users and groups may enlarge the attack surface.
There are a lot of them, though.
> If commonly used software allows breaching some security features, then
> the features need to be changed.
No security conscious person use NFS in a security sensitive context
anyway.
Message-ID: <20050330232605 .GV30645@ seventeen>
Date: Thu, 31 Mar 2005 01:26:05 +0200
From: Bill Allombert <email address hidden>
To: <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH
On Thu, Mar 31, 2005 at 06:16:46AM +1000, <email address hidden> wrote:
> Group staff is an anachronism: its ownership of /home is "wrong". Its use
> and usefulness should be reviewed.
An anachromism ? What paradigm shift made it "wrong" ?
> Group staff is said to be useful "for helpdesk types or junior sysadmins",
> without warnings that it is in fact root-equivalent.
Who said that ?
sg staff -c make install
and
su root -c make install
are very different security-wise. For once, the first will fail if we
mistakenly try to install in /usr instead of /usr/local.
> Use of root-equivalent users and groups may enlarge the attack surface.
There are a lot of them, though.
> If commonly used software allows breaching some security features, then
> the features need to be changed.
No security conscious person use NFS in a security sensitive context
anyway.
Cheers,
--
Bill. <email address hidden>
Imagine a large red swirl here.