Prev: timout binary question
Next: What am I doing wrong ?
From: Chick Tower on 22 Jun 2010 14:49 On 2010-06-21, Barnabyh <usenet(a)spamtrap.org> wrote: > ... > I have a question in regards to security though. As slrnpull needs > to run as root or under sudo in crontab, what are the chances of a > potential security hole affecting/ escalating into the whole system. > > ... > > Apart from keeping an eye on this sort of thing and trusting the > appearance of official updates, would it not be better to run > slrnpull non-root? > > Is it possible to achieve this? See /usr/docs/slrn-{version}/slrnpull/setgid.txt for ideas. I don't know whether or not it's suggestions make slrnpull any more secure, but they allow normal users to run it. I don't run slrnpull with cron, but I run it as a normal user and I keep the news files in a .slrnpull/{servername} directory in my home directory since I'm the only user. -- Chick Tower For e-mail: aols2 DOT sent DOT towerboy AT xoxy DOT net
From: Sylvain Robitaille on 22 Jun 2010 15:54 Chick Tower wrote: > See /usr/docs/slrn-{version}/slrnpull/setgid.txt for ideas. I don't > know whether or not it's suggestions make slrnpull any more secure, > but they allow normal users to run it. not exactly: s/normal users/an otherwise unprivileged user/ s/to run it/to run it on nehalf of normal users/ -- ---------------------------------------------------------------------- Sylvain Robitaille syl(a)encs.concordia.ca Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
From: Barnabyh on 23 Jun 2010 05:47 * Sylvain Robitaille <syl(a)alcor.concordia.ca> wrote: > Chick Tower wrote: > >> See /usr/docs/slrn-{version}/slrnpull/setgid.txt for ideas. I don't >> know whether or not it's suggestions make slrnpull any more secure, >> but they allow normal users to run it. > > not exactly: > > s/normal users/an otherwise unprivileged user/ > s/to run it/to run it on nehalf of normal users/ > And it's working well. I checked the SlackBuild in /source to see that the patch is enabled. Of course not many people would know this other than the one who wrote it and some hardcore long-term slrnpull users :) Or just people who like reading documentation. Barnabyh -- The general public is a bunch of morons who destroy the fun and life in everything it collectively touches. Disney is what the public wants. NASCAR is what the public wants. Windows is what the public wants. (Slashdot, Monday March 28 2005, Gnome Removed From Slackware.)
From: Sylvain Robitaille on 23 Jun 2010 13:58 Barnabyh wrote: > Of course not many people would know this other than the one who > wrote it and some hardcore long-term slrnpull users :) At the time, JED (then Slrn's primary author, though I remember seeing more recently that he's back on the project) made a point to clearly announce the addition, but he chose to have it default to what had until that time been slrnpull's "known" behaviour. I'm surprised that it isn't better known by now, though. -- ---------------------------------------------------------------------- Sylvain Robitaille syl(a)encs.concordia.ca Systems analyst / AITS Concordia University Faculty of Engineering and Computer Science Montreal, Quebec, Canada ----------------------------------------------------------------------
From: Chick Tower on 23 Jun 2010 22:24
On 2010-06-22, Sylvain Robitaille <syl(a)alcor.concordia.ca> wrote: > s/normal users/an otherwise unprivileged user/ What's the difference between a normal user and an otherwise unprivileged user, Sylvain? -- Chick Tower For e-mail: aols2 DOT sent DOT towerboy AT xoxy DOT net |