On Thu, 12 Aug 2010 12:10:16 -0400 (EDT), Arthur Machlas wrote: > On Wed, 11 Aug 2010 17:33:12 -0400 (EDT), Bob Proulx wrote: >> Then log out. At login you will be set to those additional groups. >> With those in place you can work as yourself in those areas. Safer >> than using root since as yourself you can't smash anything in the >> system directories /etc or /bin or /var or other system locations. >> This makes installing local software through 'make install' much safer >> and more contained when not done as root. If one were to crawl out of >> /usr/local for example you would see the failure. If you were running >> as root then you would not. > > Isn't there a risk in granting user access to src, adm, and such if > ever your user account is compromised? My uninformed opinion is that > it's a question of relative risk; the 'risk' involved in building > kernels as root, versus the risk involved in giving access to these > dirs and tools should your account become compromised.
Obviously, the more groups an id is a member of, the more harm that id can do in the hands of a malicious (or foolish) user. And that's one reason why I can't make everyone happy no matter what my web page says! I suppose the most secure method would be to create an id just for kernel building which is a member of group src and its login group, and that's it. -- .''`. Stephen Powell : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1411985608.44786.1281630874966.javamail.r...@md01.wow.synacor.com
