sudo and changes in packaging guidelines
Frank Ch. Eigler
fche at redhat.com
Fri Apr 13 19:16:58 UTC 2012
ajax wrote:
> [...]
>> If this is meant to cover administrative binaries that have no
>> privilege escalation pieces of their own, merely run by root, then
>> what makes them different from any other /bin/* program that a root
>> process might invoke?
>
> It's not meant to cover that. That phrasing is meant to cover system
> components like init that do not function _unless_ run as uid 0.
OK. Can you point to an attack scenario against such binaries that
would not also apply against some non-uid0-only binary that root
may incidentally run?
- FChE
More information about the devel
mailing list