Ubuntu
base-files package

Bug #13795
Comment #110

Comment 110 for bug 13795

Revision history for this message

In Debian Bug tracker #299007, Paul Szabo (psz-maths) wrote on 2005-03-30: Re: Bug#299007: base-files: Insecure PATH

#110

Jakob Bohm <email address hidden> wrote:

>>>> Is it documented anywhere that you should only give group staff
>>>> privileges to those that also have the root password?
>
> I wrote "probably somewhere" because I have not wasted time ...
> Its like "don't lend people keys to anything if they cannot be
> trusted or cannot keep the key safe".

Keys to anything? I gave you a key to your hotel room, not to my house.

> Debian GNU/Linux woody predefines several groups ...

Thank you for expanding my list.

> Only two groups are mostly impossible to abuse:
> users, nogroup

You may be wrong on nogroup. Define "mostly impossible".

> Microsoft Windows/NT ...

Irrelevant.

>>>> At no time was I arguing for banning whatever ownership of /usr/local
>>>> by policy; I only wanted to also allow it being owned by root. ...
>
> I do not agree that anything you have posted so far justifies
> disallowing /usr/local to be owned by group staff by default.
> If you think that chown -R :root /usr /bin /sbin /etc will make
> you safer you are free to make that mistake on your own system,
> just don't force it on the world.

The directories you mention are in fact owned by root:root.

>>> The problem is that most NFS-servers and most versions of the
>>> NFS protocol do not perform sufficient validation ...
>>
>> NFS may be ugly and insecure. Should we banish it from Debian?
>
> No, but maybe we should make sure all the Debian-shipped NFS
> implementations include all necessary security extensions and
> enable those extensions by default.

Should the "currently shipping" NFS implementations be banned? Getting them
secured: is that being worked on?

> ... fickle grounds that some software is not enforcing group
> authentication properly.

Security does not work without enforcement.

Leaving petty arguments and cheap character assassinations aside.

Group staff is an anachronism: its ownership of /home is "wrong". Its use
and usefulness should be reviewed.

Group staff is said to be useful "for helpdesk types or junior sysadmins",
without warnings that it is in fact root-equivalent.

Use of root-equivalent users and groups may enlarge the attack surface.

If commonly used software allows breaching some security features, then
the features need to be changed.

Cheers,

Paul Szabo <email address hidden> http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics University of Sydney Australia

Jakob Bohm <jbj@image.dk> wrote:

>>>> Is it documented anywhere that you should only give group staff
>>>> privileges to those that also have the root password?
> 
> I wrote "probably somewhere" because I have not wasted time ...
> Its like "don't lend people keys to anything if they cannot be
> trusted or cannot keep the key safe".

Keys to anything? I gave you a key to your hotel room, not to my house.

> Debian GNU/Linux woody predefines several groups ...

Thank you for expanding my list.

>    Only two groups are mostly impossible to abuse:
>       users, nogroup

You may be wrong on nogroup. Define "mostly impossible".

> Microsoft Windows/NT ...

Irrelevant.

>>>> At no time was I arguing for banning whatever ownership of /usr/local
>>>> by policy; I only wanted to also allow it being owned by root. ...
> 
> I do not agree that anything you have posted so far justifies
> disallowing /usr/local to be owned by group staff by default. 
> If you think that chown -R :root /usr /bin /sbin /etc will make
> you safer you are free to make that mistake on your own system,
> just don't force it on the world.

The directories you mention are in fact owned by root:root.

>>> The problem is that most NFS-servers and most versions of the
>>> NFS protocol do not perform sufficient validation ...
>> 
>> NFS may be ugly and insecure. Should we banish it from Debian?
> 
> No, but maybe we should make sure all the Debian-shipped NFS
> implementations include all necessary security extensions and
> enable those extensions by default.

Should the "currently shipping" NFS implementations be banned? Getting them
secured: is that being worked on?

> ... fickle grounds that some software is not enforcing group
> authentication properly.

Security does not work without enforcement.

Leaving petty arguments and cheap character assassinations aside.

Group staff is an anachronism: its ownership of /home is "wrong". Its use
and usefulness should be reviewed.

Group staff is said to be useful "for helpdesk types or junior sysadmins",
without warnings that it is in fact root-equivalent.

Use of root-equivalent users and groups may enlarge the attack surface.

If commonly used software allows breaching some security features, then
the features need to be changed.

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

Ubuntubase-files package

Comment 110 for bug 13795

Ubuntu
base-files package