Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
example, the situation where a user needs to change his password. To
do this, the user needs to write his new password to the /etc/shadow file. This file,
however, is not writeable for users who do not have root permissions.
SUID permission offers a solution for this problem. On the /usr/bin/passwd
utility, this permission is applied by default. That makes that when changing his
password, the user temporarily has root permissions, which allows him to write to
the /etc/shadow file.
does this not make it possible for anybody to write any password to /etc/shadow...i men isnt it a security compromise for convenience?
The SUID permission may look useful (and it is in some cases), but at the same
time, it is potentially dangerous. If applied wrongly, you may give away root permissions
by accident. I therefore recommend using it with greatest care only. Most
administrators will never have to use it; you’ll only see it on some files where the
operating system needs to set it as a default.
so is it advisable to turn off this SUID permission for specific utilities?
would an admin typically write a security script to change certain default security settings?
does this not make it possible for anybody to write any password to /etc/shadow
Only if the person who wrote /usr/bin/passwd effed up.
Quote:
...i men isnt it a security compromise for convenience?
It means your Trusted computing base becomes bigger, but what is the alternative? (that's not a rhetorical question, there may well be reasonable alternatives)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.