suid mystery (SOLVED)

Dean S. Messing deanm at sharplabs.com
Sat Dec 10 06:51:21 UTC 2011


On Fri, 09Dec11 19:33 -0800, Scott Doty: wrote:
> On 12/9/11 6:53 PM, Dean S. Messing wrote:
> >
> > I just tested your suggestion. The timestamps are changing.
> >
> 
> It's probably running: /usr/lib64/nspluginwrapper/plugin-config

I think you have solved the mystery, Scott.

The access time on this executable is 17:19 today, which was the first
time I ran my test for my initial post. (Thankfully I recorded the time
in that post.)  I've tested a few more times since then but the access
time didn't update because (if I recall) the kernel only updates if it
hasn't been accessed in 24 hours.

So the next question is: why is an "suid root" executable needing to be
called?  Can't everything be confined to my user account so that nasty
things can't happen.  I'm not sure exactly what plugin-config does
(apart from configuring plugins :-), but if it is allowed to install
stuff in the /usr/lib64 hierarchy, it would seem (to a security novice
like me) to be a serious security hole.

Anyway, thanks for solving the mystery.

Dean


More information about the users mailing list