[Toolserver-l] an idea

Aryeh Gregor Simetrical+wikilist at gmail.com
Thu Aug 27 14:23:56 UTC 2009 

On Thu, Aug 27, 2009 at 4:14 AM, Leszek Krupinski<leafnode at gmail.com> wrote:
> Daemon? Why not just sudo?

Or Solaris roles or whatever they're called, on the Solaris machines.
(Whatever it is pfexec does.)  MySQL wouldn't even need that; just
assign the account the right to view process lists and kill processes.

On Thu, Aug 27, 2009 at 5:05 AM, Fahad Sadah<fahadsadah at googlemail.com> wrote:
> Bear in mind that most programs can be exploited as root, to gain full
> root. Might I remind you of what happened with mount (for those of you
> who don't know, a bunch of people from the not-for-profit organisation
> me and Henrik volunteer for, abused access to mount, to take a whole
> server, by making their own filesystems with setuid binaries inside,
> and mounting them)

Not "most programs", only a minority.  Obviously if you can run mount
as root with arbitrary parameters, you can mount arbitrary filesystems
with, for instance, a setuid root-owned binary on it that does
whatever you want.  Giving people sudo access to chmod, chown,
modprobe, a shell or interpreter or editor, something that's not
usually a shell or interpreter or editor but actually can be used as
one (like some variants of less), etc., would also obviously give them
full access if they wanted.

But you're not going to get root access using shutdown or kill or
/etc/init.d/apache.  It does pay to think about it carefully first,
but it's hardly inevitable that limited admins will be able to get
full root if you're careful what commands you give them.  (I'd think
it would be safer to write a wrapper script for kill that made sure
you weren't trying to kill a root-owned process, to be on the safe
side.)

On Thu, Aug 27, 2009 at 8:09 AM, Bryan Tong
Minh<bryan.tongminh at gmail.com> wrote:
> Well of course they can, and care should be taken which programs can
> be run, but custodians should be very trusted and anybody whom we
> don't know if they will exploit a program to gain root access is
> automatically disqualified.

If there were some way we knew about that some users could gain root
access (and thereby access to private data), those users would have to
be approved by Wikimedia, which defeats the point.

More information about the Toolserver-l mailing list