[Ffmpeg-devel] PATCH: Build Suffix

Jacob Meuser jakemsr
Sun Jul 31 09:00:24 CEST 2005


On Sat, Jul 30, 2005 at 09:54:13AM -0400, Rich Felker wrote:
> On Fri, Jul 29, 2005 at 08:31:29PM -0700, Jacob Meuser wrote:
> > On Fri, Jul 29, 2005 at 08:03:07AM -0400, Rich Felker wrote:
> > 
> > > My point was exactly that you do not, and CANNOT, control what they do
> > > with sudo. If a program can safely be run by ordinary users with
> > > elevated permissions, it will use the suid bit and have its own strong
> > > internal permissions handling.
> > 
> > yeah, like cdrecord?  I had a similar "discussion" about the pros and
> > cons of using cdrecord with sudo instead of setting it suid with
> > Joerg Schilling some time back.  he was, of course, in favor of the
> > suid bit.  within a week, there was a CERT advisory about suid cdrecord
> > holes.
> 
> because joerg schilling is a complete idiot. cdrecord does not need
> root whatsoever. just set proper permissions on the device you want it
> to use, and don't run with root at all. i can assure you that sudo
> will be MUCH MORE INSECURE than suid, i.e. any user can read any file
> such as /etc/shadow. :)

I don't have a whole lot of respect for Joerg, but this is just
an example (seems to be common example, actually) of people who
prefer suid over other options, "because they are clever enough
to code properly", which is exactly what you were suggesting.

> and to those of you who dislike my personal attacks, you're usually
> justified, but joerg is disgusting -- he's responsible for multiple
> vulnerabilities through his arrogance about his own insecure and
> unnecessarily suid code, and a complete traitor to free software. look
> up his history before you flame me this time.

you were agreeing with him that sudo is an unwieldy insecure program.
I have already explained that sudo needs to be understood to be used
properly.  I have to say you are both simply unwilling to learn and
understand in this case.  if you don't want to use it, fine, then
you don't need to understand it.  but don't spread FUD because you
don't understand it.

> > > Virtually anything run through sudo is
> > > full of holes that yield full root access, like the "make install"
> > > example.
> > 
> > almost every program has potential holes.  less code running with
> > elevated privileges is inherently more secure.
> > 
> > sudo allows far more control of what a user can do with a program than
> > setting the suid bit does.
> 
> i already said you cannot set suid bit on random programs. it must be
> a program that's aware that it has suid, and which drops root
> immediately and permenantly after obtaining the necessary resource.
> however, sudo will be at least as insecure in almost all cases.
> 
> > let's get back to where this discussion started.  can you tell me
> > how an administrator (who probably has root anyway) using sudo to
> > install software is going to lead to security issues?  how is this
> > so different than if the admin had sud instead?  in this case, how
> > is using su more secure?
> 
> i already showed you:
> cat <<EOF>Makefile
> install:
> 	chmod +s /bin/sh
> EOF
> sudo make install

how is it different if using sudo or su'd as root was the question.

> > almost every program has potential holes.  less code running with
> > elevated privileges is inherently more secure.
> 
> sudo leads to more code running elevated, not less.

how?  if I su, there is a shell (which is almost always more code
than in sudo) running as root.

-- 
<jakemsr at jakemsr.com>





More information about the ffmpeg-devel mailing list