Steve Newcomb wrote:
Jean-Louis Martineau <martineau AT zmanda DOT com> writes:
Your bug is also with:
chmod -R 6770 /home/amanda/libexec/* /home/amanda/sbin/*
Setting all binary to suid and sgid is a bad idea, especially since
you set their owner to root.
From my script, with added comments:
chown -R amanda.disk /home/amanda
chown root.disk /home/amanda/libexec/runtar # "make install" does this but
doesn't set group to disk
chown root.disk /home/amanda/libexec/dumper # "make install" does this but
doesn't set group to disk
chown root.disk /home/amanda/libexec/planner # "make install" does this but
doesn't set group to disk
chown root.disk /home/amanda/sbin/amcheck # "make install" does this but
doesn't set group to disk
chmod -R 6770 /home/amanda/libexec/* /home/amanda/sbin/* # "make install" does essentially the same
# thing but doesn't privilege group "disk".
No it do 'chmod u+s,o-rwx' only on 4 binaries.
With the owner set to amanda, it's not a good idea either.
I'm baffled. I can't think of any reason why that's not a good idea.
Why isn't it a good idea?
suid is always a securiry risk, it should never be used if it's not
required.
You should only set suid and sgid on required binary with correct ownership.
Correct ownership is root for the binaries I listed above, right?
yes, that's only 4 binary that should be suid.
|