Ethereal-users: RE: [Ethereal-users] Run as root not as any other user

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Neulinger, Nathan" <nneul@xxxxxxx>
Date: Thu, 17 May 2001 09:03:42 -0500
Sudo in this case doesn't gain you anything other than the control of WHO
can run it. Any time you allow a non-root user to run a command as root that
isn't written to be safely run setuid (which is what sudo is doing) - you're
basically opening yourself up to that non-root user having full access to
the machine.

You're not understanding the dangers of setuid if you think that sudo is
more secure in this case than just making ethereal itself setuid with proper
group permissions.

The ONLY safe way to do this is to run a program as root that is DESIGNED to
be run as root - such as by doing the absolute minimum as root and then
dropping perms, or by being securely written and relying only on securely
written toolkits.

-- Nathan

> -----Original Message-----
> From: Eichert, Diana [mailto:deicher@xxxxxxxxxx]
> Sent: Thursday, May 17, 2001 8:42 AM
> To: 'Peter Kjellerstedt '; ''Guy Harris' '; 'Cameron Kerr '
> Cc: 'cody '; 'Ethereal-users@xxxxxxxxxxxx '
> Subject: RE: [Ethereal-users] Run as root not as any other user
> 
> 
> I recommend sudo also.  Your control over how you allow a user to run
> something as root is very granular.  You can even set what 
> command line
> options they can run with a program.  Stay away from setuid 
> if you can.
> 
> diana
> 
> -----Original Message-----
> From: Peter Kjellerstedt
> To: 'Guy Harris'; Cameron Kerr
> Cc: cody; Ethereal-users@xxxxxxxxxxxx
> Sent: 5/17/2001 12:12 AM
> Subject: RE: [Ethereal-users] Run as root not as any other user
> 
> > -----Original Message-----
> > From: Guy Harris [mailto:guy@xxxxxxxxxx]
> > Sent: Wednesday, May 16, 2001 21:05
> > To: Cameron Kerr
> > Cc: cody; Ethereal-users@xxxxxxxxxxxx
> > Subject: Re: [Ethereal-users] Run as root not as any other user
> > 
> > > Set ethereal to be setuid
> > > 
> > > chmod +s `which ethereal`
> > > 
> > > Note that this could be a security risk.
> > 
> > Yes - see
> > 
> > 	http://www.gtk.org/setuid.html
> > 
> > It also may not work at all, depending on whether Mandrake 
> > 8.0 has GTK+
> > 1.2.9 or later, as the GTK+ folk have, in 1.2.9, changed 
> GTK+ so that
> > GTK+ programs will simply refuse to run at all if they're set-UID. 
> 
> Two other solutions to this are sudo and op.
> 
> //Peter
> 
> 
> 
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>