[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [hobbit] Hobbit SUID's
- To: hobbit (at) hswn.dk
- Subject: Re: [hobbit] Hobbit SUID's
- From: henrik (at) hswn.dk (Henrik Stoerner)
- Date: Sun, 4 Jun 2006 18:36:47 +0200
- References: <4483099C.80402@cisco.com>
- User-agent: Mutt/1.5.11
On Sun, Jun 04, 2006 at 09:26:04AM -0700, Charles Jones wrote:
> So, correct me if I am wrong about any of these statements:
> 1. The ONLY hobbit binary that MUST be SUID root is "hobbitping"
> (because only root can send ICMP ECHO packets).
Correct.
> 2. "logfetch" is SUID root for ease of monitoring root-owned logfiles.
> It does not need to be SUID if the monitored files are readable by the
> hobbit user.
Correct.
> 3. "clientupdate" is SUID in order to restore the SUID bit of
> "logfetch", when a client update is rolled out via the automated mechanism.
Correct.
> I should be able to convince the security folks to SUID hobbitping. Is
> there anything special about hobbitping itself, or can "fping" be used
> as a replacement?
You can use fping.
If you have problems convincing your security people, show them the
hobbitping code and point out where it does a "seteuid" call to drop
root privileges.
> The only other comment I have is, since the man page specifically says
> that logfetch and clientupdate do not need to be SUID, either "make
> install" should not fail because of the chown errors, or there should be
> a --no-suid option to tell the installer not to attempt to make those SUID.
Until recenly it failed completely. Now it just complains. I'll see if
I can remove those errors.
Regards,
Henrik