sudo and changes in packaging guidelines

Frank Ch. Eigler fche at redhat.com
Fri Apr 13 19:16:58 UTC 2012


ajax wrote:

> [...]
>> If this is meant to cover administrative binaries that have no
>> privilege escalation pieces of their own, merely run by root, then
>> what makes them different from any other /bin/* program that a root
>> process might invoke?
>
> It's not meant to cover that.  That phrasing is meant to cover system
> components like init that do not function _unless_ run as uid 0.

OK.  Can you point to an attack scenario against such binaries that
would not also apply against some non-uid0-only binary that root 
may incidentally run?

- FChE


More information about the devel mailing list