 | | | prevent setuid/setguid files in rpm installs | prevent setuid/setguid files in rpm installs 2005-03-19 - By Tobias Speckbacher
Back
You could also mount your filesystems with the nosetuid flag, then you can use
the packages but setuid never becomes an issue.
-T
-- --Original Message-- --
From: taroon-list-bounces@(protected)
[mailto:taroon-list-bounces@(protected)]On Behalf Of Michael Schwendt
Sent: Saturday, March 19, 2005 3:42 AM
To: Jerry Uanino; Discussion of Red Hat Enterprise Linux 3 (Taroon)
Subject: Re: prevent setuid/setguid files in rpm installs
On Mon, 7 Mar 2005 11:33:00 -0500, Jerry Uanino wrote:
> I'm considering giving developer groups access to specific rpm
> commands. I think with the --relocate and --noscripts options of rpm
> this could be somewhat safe. However, what I cannot overcome is the
> setuid/setguid files it might create. Is there any way to prevent
> setuid root files in the install of an rpm?
Make it a policy not to install setuid/setguid packages. If you don't
trust your users, you should not give them access to RPM.
But you could give them access to a wrapper script which only accepts rpms
after running a safety check on them (e.g. grep on rpm -qlvp) and report
any violations of your policies.
--
Fedora Core release Rawhide (Rawhide) - Linux 2.6.11-1.1185_FC4
loadavg: 1.12 1.71 1.95
--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list
Earn $52 per hosting referral at Lunarpages.
|
|
|