On Sat, 2 Nov 2002, Oliver Xymoron wrote:
>
> Yes, but this has annoying side effects like booting single-user and
> discovering things like /sbin/ping doesn't exist because mount -a
> didn't run yet.
No, /sbin/ping _would_ exist, it just wouldn't have gotten the elevated
capabilities yet.
But that shouldn't matter in single-user mode, since it doesn't _need_ any
elevated capabilities (unless you've somehow made your single-user mode
run as a normal user - that's really secure, but you can't do anything
with it ;)
[ In general the schenario you bring up is actually a good thing: a
failure mode would fail with _less_ provileges rather than more. Which
on the whole is exactly what you want - failure to initialize something
should not leave nasty security holes around. ]
On the other hand, I have this suspicion that the most secure setup is one
that the sysadmin is _used_ to, and knows all the pitfalls of. Which
obviously is a big argument for just maintaining the status quo with suid
binaries.
We have decades of knowledge on how to minimize the negative impact of
suid (I've used sendmail as an example of a suid program, and yet last I
looked sendmail was actually pretty careful about dropping all unnecessary
privileges very early on).
And as Al points out, new security features don't mean that you can just
stop being careful.
Linus
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 07 2002 - 22:00:28 EST