Ed Greshko <Ed.Greshko(a)greshko.com> wrote:
Sent: Sep 2, 2010 6:58 AM
To: Community support for Fedora users <users(a)lists.fedoraproject.org>
Subject: Re: SELinux - a call for end-of-life.
On 09/02/2010 08:41 PM, Tim wrote:
> Ed Greshko:
>>>> Are you saying that you think it is a good idea to be allowed to chown
>>>> of a file under your UID to another's UID as a normal user?
> Tim:
>>> You've never downloaded a file as one user, that another user wanted, or
>>> another of your own logins needed, and then had to move it from one to
>>> the other?
> Ed Greshko:
>> That wasn't my question....
> Well it was the situation I was originally talking about. Are you
> saying that nobody should be allowed to do that?
>
I am saying that it would be fraught with danger. You'd need to control
who and under what circumstances a given user would be allowed to disown
a file and transfer ownership to another. I can see it being abused
(intentionally or unintentionally...due to mis-configuration or whatnot)
where an executable is "given" to a "target" and bad things could
result. I just see that too much thought would be needed to put this
into practice.
In real life, I don't think it is as easy or straight forward as imagined.
And it should not be.
However, this portion of the thread is the first case where I could actually state that
this could be a MAJOR security hazard. Let's expand this:
1. An account with a weak password gets compromised.
2. This account has a file added (either FTP/SFTP upload or a malicious script is
written).
3. The ownership of this file is changed to a user with elevated privileges, but not
root.
It is rather interesting, but if this is prevented, then the file remains just a space
waster...
This is one of the functions of a good security system.
However, if the user was root, this whole case changes. A good security system should
prevent or disable root login excepting a specific set known hosts or only from specific
users if internal (su).
James McKenzie