[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: security vs. usability
From:       Bernhard Rosenkraenzer <bero () redhat ! de>
Date:       2001-02-06 10:43:19
[Download RAW message or body]

On Tue, 6 Feb 2001, Marcus Meissner wrote:

> This should be done differently. Also you can still do:
>
> $ su -p
> # kisdn &

Assuming you know the root password and want to enter it every time.
I agree that, by default, nothing using KDE (or X) should be setuid - but
I disagree about not giving root the choice to make them setuid/setgid,
especially setuid/setgid to uids/gids != 0.

The dialups were just an example - it may still be necessary to
setuid/setgid something trying to access CD writers, scanners, etc.

Yes, there is a security problem with doing that, it definitely shouldn't
be done by default. But not giving root the possibility to do it isn't
very nice either.

> I think it is more wise to just abort() and hit the programmer in the face
> that he should think of a better way on how to solve your problem instead
> of allowing such extremely dangerous features.

This works for programmers, but what about the admin who just wants to
give his (trusted) users access to the CD writer?
Put warnings all over the place to let the admin know he's doing something
stupid if there are any users that can't be trusted, but don't prevent him
from doing it.

> And as for the local admin wanting to do it and we be giving him the
> possibility to shoot himself into his own foot...

I think that should be done - if all users can be trusted (think "home
user who doesn't want his kids to mess up the system [so they don't get a
root shell just to prevent them from accidentally writing anything odd to
/etc] but wants them to have access to all hardware, dialouts,
..."), there's not a problem with making stuff setuid in this case. It's
not that setuid KDE applications introduce remote exploits.

LLaP
bero

[prev in list] [next in list] [prev in thread] [next in thread]