[Ffmpeg-devel] PATCH: Build Suffix

Rich Felker dalias
Sat Jul 30 15:54:13 CEST 2005 

On Fri, Jul 29, 2005 at 08:31:29PM -0700, Jacob Meuser wrote:
> On Fri, Jul 29, 2005 at 08:03:07AM -0400, Rich Felker wrote:
> 
> > My point was exactly that you do not, and CANNOT, control what they do
> > with sudo. If a program can safely be run by ordinary users with
> > elevated permissions, it will use the suid bit and have its own strong
> > internal permissions handling.
> 
> yeah, like cdrecord?  I had a similar "discussion" about the pros and
> cons of using cdrecord with sudo instead of setting it suid with
> Joerg Schilling some time back.  he was, of course, in favor of the
> suid bit.  within a week, there was a CERT advisory about suid cdrecord
> holes.

because joerg schilling is a complete idiot. cdrecord does not need
root whatsoever. just set proper permissions on the device you want it
to use, and don't run with root at all. i can assure you that sudo
will be MUCH MORE INSECURE than suid, i.e. any user can read any file
such as /etc/shadow. :)

and to those of you who dislike my personal attacks, you're usually
justified, but joerg is disgusting -- he's responsible for multiple
vulnerabilities through his arrogance about his own insecure and
unnecessarily suid code, and a complete traitor to free software. look
up his history before you flame me this time.

> > Virtually anything run through sudo is
> > full of holes that yield full root access, like the "make install"
> > example.
> 
> almost every program has potential holes.  less code running with
> elevated privileges is inherently more secure.
> 
> sudo allows far more control of what a user can do with a program than
> setting the suid bit does.

i already said you cannot set suid bit on random programs. it must be
a program that's aware that it has suid, and which drops root
immediately and permenantly after obtaining the necessary resource.
however, sudo will be at least as insecure in almost all cases.

> let's get back to where this discussion started.  can you tell me
> how an administrator (who probably has root anyway) using sudo to
> install software is going to lead to security issues?  how is this
> so different than if the admin had sud instead?  in this case, how
> is using su more secure?

i already showed you:
cat <<EOF>Makefile
install:
	chmod +s /bin/sh
EOF
sudo make install

> almost every program has potential holes.  less code running with
> elevated privileges is inherently more secure.

sudo leads to more code running elevated, not less.

rich

More information about the ffmpeg-devel mailing list