httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Greenlees" <ja...@shaw.ca>
Subject Re: [users@httpd] useradd
Date Mon, 20 Jan 2003 01:22:32 GMT
Zac Stevens wrote:
> On Sun, Jan 19, 2003 at 05:49:53PM -0600, Gary Turner wrote:
> 
>>M A wrote:
>>
>>>i already did add */sbin to my PATH..why is it bad karma?
>>
>>Since there is *no* reason to have the path to sbin in user land (after
>>all, user can't {shouldn't} run anything there), it only promotes bad
>>habits.  Consider that you don't want just anyone to have access to your
>>cgi directories or httpd.conf, since there is the possibility of system
>>damage---even more so with the OS.  You don't want users to have any
>>access to system commands and files.
> 
> 
> I disagree - I do as little as possible as the root user, preferring to use
> sudo and similar tools.  Leaving out the sbin paths becomes a major PITA,
> very quickly.
> 
> Putting */sbin into PATH does not grant any special access, and removing 
> it does nothing to prevent users from having access to the utilities 
> therein - they'd just need to specify the full path!  Finally, users have 
> full control over their own PATH - anyone can add whatever they want to 
> it.  The exception here is the environment you provide to running 
> daemons - cron, httpd, etc - but I don't believe that is what the OP was
> talking about.
> 
> I'd still love to hear opinions on what damage - or potential damage - is
> caused by adding */sbin to PATH, because frankly this is the first time 
> I've seen anyone suggest that it's inherently dangerous.
> 
> Cheers,
> 
> 
> Zac

only danger is in unauthorised root access, either by hacker or a legit 
user getting root access by error.
the more difficult getting the command to run ( like having to type 
entire path ) the less damage can be done accidently.





---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message