Linux Privilege Escalation
Hi all,
My first post. Would like to get everyone's opinion on something. Here's a hypothetical situation regarding a hypothetical commercial application: 1. The application is intended for use by normal users. 2. The application must run in a non-interactive mode (for scripting and such). 3. The application has to run as ROOT to do it's thing. 4. The application calls various standard system utilities that are not a part of the application package. Normally, I would expect that the system utility files that are called are not world writeable. So here's the question(s): Does the application have any responsibility for ensuring that it isn't going to potentially be the path to privilege escalation? If so, what would you do within the app? Thanks! |
Hello and welcome to LQ.
To me, numbers 1 and 3 are conflicting. If the program needs special privileges to do a certain task (for example, bind to a port number less than 1024), I would suggest there are a few ways to minimize possibility of privilege escalation within the program (and yes, I think it is the “responsibility” of any app that needs special privileges to minimize the chance that it would be used for privilege escalation):
P.S., notice the lack of an apostrophe in my use of “its”. |
All times are GMT -5. The time now is 07:23 AM. |