permissions for suid tools
Tomasz Kłoczko
kloczek w rudy.mif.pg.gda.pl
Pią, 12 Sty 2001, 16:52:16 CET
On Thu, 11 Jan 2001, Jacek Konieczny wrote:
> On Thu, Jan 11, 2001 at 11:11:21AM +0100, Sebastian Zagrodzki wrote:
> > Is there any set of "standard" permissions for setuid tools?
> > I mean apps like ping, mtr, traceroute and so on.
> > As everybody know, setting 4755 on them is not what we would like to
> > do...
> > Possibilites are:
> >
> > 755, no suid by default
> > 4710, owner root.root
> > 4710, owner <some_group_that_can_use_these_tools>
> >
> > As for now, we have (for example):
> > 4755 (ping)
> > 4754 (traceroute6)
> > 755 (targa)
> IMHO for ping, traceroute, mtr it should be:
> 4710 root.icmp
Much beter it will be add PAM modyfications for this tools and in
authentications procedure use pam_listfile with allow rule.
Add more groups/uids makes some troubles/complications on instalation and
also incompatibilities with other Linuxes.
Other way is use su from shadow which have some abilities similar to sudo
(suath).
Use suath causes no other modifications in system like using some
sdditional groups (and for this suauth or sudo was written).
kloczek
--
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek w rudy.mif.pg.gda.pl*
Więcej informacji o liście dyskusyjnej pld-devel-pl