Re: What to do when a command isn't found?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Al Sparks wrote:
> 
> I tried to execute
>    ifconfig eth0 down
> on my system as non-root, and got permission denied.
> 
> If you're going to restrict access to the commands in /sbin, you
> should also change the permissions on the /sbin directory so
> unauthorized personnel can't reach it.  As things stand now, you
> simply have security through obscurity, since users can change their
> own $PATH.
> 
> Actually, if you're going to restrict users, you default their shell
> to /bin/rbash, set their $PATH to a small amount of directories, and
> make their .bashrc and .bash_profiles inaccessible.
>    === Al
> 
What happens if you run "/sbin/ifconfig eth0" instead of
"/sbin/ifconfig eth0 down"? Is the permission denied message about
running ifconfig or about trying to bring down eth0? There are times
when the information presented by ifconfig is useful to a normal
user, even though you can not change the settings.

One thing I think you are missing is that keeping these commands off
a normal user's path is not really a security measure. It is more a
matter of keeping them out of the way of people that would not
normally need access to them. Chances are, they are not going to
stumble across them by accident, but they are there if you do need
to use them. The security is that most actions by the commands
require root permissions. The information function of the commands
still works for normal users.

Mikkel
-- 

  Do not meddle in the affairs of dragons,
for thou art crunchy and taste good with Ketchup!


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux