On Nov 16, 2007 11:16 AM, James Olin Oden james.oden@gmail.com wrote:
On 11/16/07, Alfred von Campe alfred@von-campe.com wrote:
On Nov 16, 2007, at 9:55, Marc Wiatrowski wrote:
Being aware of the security implications, do you have perl-suidperl-X.rpm installed?
I meant I was aware of the implications of running setuid scripts. I was not aware that CentOS' upstream provider had packaged suidperl separately. Installing this package solved my problem. However, I am pursuing an sudo solution at the moment that may work even better for me.
setuid scripts are not by their nature bad as some would propose. As a matter of fact without using a system with mandetory access controls like SELinux, they can be effective tools to enhance overal security provided you follow some simple guidelines quite rigorously:
- As soon as you start de-elevate your privileges.
- Only elevate your privileges for as long as you need to (as an example one may need root to open certain files, but once its opened you do not need root to read and write the file).
- Try to keep the setuid program as simple as possible. If there
is a point where it can throw away its privileges forever then do so.
- Be very rigorous in determining that a user in the current
context they are in should be using the setuid script.
I think the key word in alll that is "rigor" and though not used, "aware".
Cheers...james
Good suggestions. Also keep in mind that you don't always suid to root. You can also suid to another user (which seems to be the case here).