On Thu, Aug 27, 2009 at 4:14 AM, Leszek Krupinskileafnode@gmail.com wrote:
Daemon? Why not just sudo?
Or Solaris roles or whatever they're called, on the Solaris machines. (Whatever it is pfexec does.) MySQL wouldn't even need that; just assign the account the right to view process lists and kill processes.
On Thu, Aug 27, 2009 at 5:05 AM, Fahad Sadahfahadsadah@googlemail.com wrote:
Bear in mind that most programs can be exploited as root, to gain full root. Might I remind you of what happened with mount (for those of you who don't know, a bunch of people from the not-for-profit organisation me and Henrik volunteer for, abused access to mount, to take a whole server, by making their own filesystems with setuid binaries inside, and mounting them)
Not "most programs", only a minority. Obviously if you can run mount as root with arbitrary parameters, you can mount arbitrary filesystems with, for instance, a setuid root-owned binary on it that does whatever you want. Giving people sudo access to chmod, chown, modprobe, a shell or interpreter or editor, something that's not usually a shell or interpreter or editor but actually can be used as one (like some variants of less), etc., would also obviously give them full access if they wanted.
But you're not going to get root access using shutdown or kill or /etc/init.d/apache. It does pay to think about it carefully first, but it's hardly inevitable that limited admins will be able to get full root if you're careful what commands you give them. (I'd think it would be safer to write a wrapper script for kill that made sure you weren't trying to kill a root-owned process, to be on the safe side.)
On Thu, Aug 27, 2009 at 8:09 AM, Bryan Tong Minhbryan.tongminh@gmail.com wrote:
Well of course they can, and care should be taken which programs can be run, but custodians should be very trusted and anybody whom we don't know if they will exploit a program to gain root access is automatically disqualified.
If there were some way we knew about that some users could gain root access (and thereby access to private data), those users would have to be approved by Wikimedia, which defeats the point.