From: "Matthew Miller" <mattdm@xxxxxxxxxx>
On Thu, Jul 06, 2006 at 12:53:28PM -0700, Al Sparks wrote:
I tried to execute
ifconfig eth0 down
on my system as non-root, and got permission denied.
Try adding
USERCTL=yes
to
/etc/sysconfig/network-scripts/ifcfg-eth0
(One of several arguments for moving ifconfig to /bin.)
But yeah, having programs in sbin isn't a security thing. It's an
organizational thing.
Compromise please - not having the programs executable for users
is a security thing (more so for some programs than others). Not
having them in the user's path avoids confusion over "why doesn't
this command work?" If it's not there the system administrator
does not want you to have access; and if you go around his back to
/sbin or /usr/sbin directly you'll likely find it does not work.
In another sense it is a security thing in the same sense that a
user cannot go to "/" and execute "rm -rf" and achieve anything
but blowing his own account away and stuff a wingnut administrator
left world write on. On a single user/administrator machine it does
not matter if ifconfig is runnable or accessible. But if you had
several hundred users on the machine would you want each and every
one of them to be able to turn off networks? Security is both
protection from intentional attacks and from "Oh Shit!" events. I
try to keep the latter in mind most of the time. 'ix operating
systems do not hand hold as much as the MS systems. Once a command
WILL run for you it'll do what you say and seldom ask "Are you SURE
you want to erase everything on your machine?"
{^_^} Joanne, being picky again. But really, accidents are just
as much a security problem as intentional disruptions.
