OT: suid programs vs. sudo access (Re: NetworkManager or Wifi-Radar?)

Brian J. Tarricone bjt23 at cornell.edu
Fri Jun 13 21:02:26 CEST 2008 

Grant McWilliams wrote:
> gag, cough sputter. An SUID program is better than a SUDO entry???? I'm
> going to use this thread for my Linux Host System Security class on Tuesday!

It can be, if done properly.  A sudo entry to run a particular app as 
root password-less forces you to rely on sudo itself being well behaved 
and secure.

A binary with perms set to -rwsr-x--- and ownership set to root:foo (and 
put users allowed to run it in group foo) only relies on the OS's 
built-in facilities and is certainly no less secure than a password-less 
sudo entry.  I'd argue it's more secure.

Though really, the security concerns of using suid vs. sudo are dwarfed 
by those of running a GUI app as root.  wpa_gui uses Qt, right?  Care to 
audit all of Qt for security issues?

	-brian

> 
> On Fri, Jun 13, 2008 at 6:49 AM, Greg Folkert <greg at gregfolkert.net> wrote:
> 
>> On Fri, 2008-06-13 at 14:31 +0200, Jean-Christophe wrote:
>>> I found this thread and I could suggest another soft: wpa_gui, which is
>>> the most highly capable I found.
>>> I made a hotkey launching 'sudo wpa_gui' (it must be launched as root)
>>> and added 'ALL     ALL=NOPASSWD: /usr/sbin/wpa_gui' to sudoers with
>> visudo.
>>
>> I know many people hate SUID programs... but rather than make a grievous
>> SUDOERS ENTRY like that...
>>
>> Why not make the program SUID and owned by root? Or at least GUID and
>> proper groups memberships for the running user.
>> --
>> greg at gregfolkert.net
>> PGP key 1024D/B524687C 2003-08-05
>> Fingerprint: E1D3 E3D7 5850 957E FED0  2B3A ED66 6971 B524 687C
>> Alternate Fingerprint: 09F9 1102 9D74  E35B D841 56C5 6356 88C0
>> Alternate Fingerprint: 455F E104 22CA  29C4 933F 9505 2B79 2AB2
>>
>> _______________________________________________
>> Xfce mailing list
>> Xfce at xfce.org
>> http://foo-projects.org/mailman/listinfo/xfce
>> http://www.xfce.org
>>
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Xfce mailing list
> Xfce at xfce.org
> http://foo-projects.org/mailman/listinfo/xfce
> http://www.xfce.org

More information about the Xfce mailing list