On Mon, 01 Dec 2003 21:08:34 +0000, Randy Orrison wrote: > Paul Morgan wrote: >> The key in any case is to protect your /usr/local... from anyone except >> root writing to it, and also not to put current directory in root's path. > > Excellent idea. Too bad debian doesn't do that out of the box. > >> /usr/local... doesn't exist so non-admins can put commands in there; they >> should be putting them in somewhere in their /home or in their apps >> directories. > > I think the point here is that the default debian install leaves > /usr/local/bin writable by group staff. This is an easy privilege > escalation route, if someone gets a staff group account and drops > replacement executables in /usr/local/bin. > > From the debian reference, section 9.2.3: "staff membership is useful > for helpdesk types or junior sysadmins, giving them the ability to do > things in /usr/local and to create directories in /home" -- would you > trust them with root? > > No, root shouldn't have /usr/local/[s]bin in its path before the > standard directories. If root wants customised binaries that override > system standard ones, he should customise his path himself to include > /root/bin and make sure no-one else has write access to it. You could > probably make a case for root not having *any* directories *anywhere* in > its path that are writable by anyone other than root. > > Randy
Default debian install creates no usr/local directories, at least it never has for me. Also, default debian installation does *not* put cwd in root's path. And, note that the debian reference that you quoted doesn't say anything about /usr/local/bin or sbin, just that they should be able to do things in /usr/local. IMO /usr/local/bin and sbin are production directories and nothing should go in there which hasn't gone through the site's normal production QA and change/version control procedures, so root need be the only person who writes in there, used by the version control manager, maybe. -- ....................paul "Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns - the ones we don't know we don't know." - Donald Rumsfeld, US Secretary of Defense, Winner of British Plain English Campaign's 2003 "Foot in Mouth" award. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
