[NCLUG] Why not Root?

John L. Bass jbass at dmsd.com
Sat Mar 17 19:54:51 MDT 2007


Bill Thorson <bill at tstorms.com> writes:
> If you are using the default gnome.  There is a "Network Configuration" 
> tool which requests root password and then lists your network devices. 
> When you select one and click 'edit' you see as one of your options 
> "Allow all users to enable and disable the device."  This worked for me.

The security aspects of this are very interesting, as providing root
password for the scripts greatly increases the working set of applications
and scripts that need to be verified as "trusted". In general this increases
the risk of a local machine security flaw, by having even more code in the
"must be trusted" class.

A much safer engineering solution is using capability based enables/enforcement
at the kernel level, where networking operations can be allowed without allowing
root access to all the tools which admin the subsystem.

John



More information about the NCLUG mailing list