From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Sat, 17 Nov 2018 00:24:05 +0000 From: Alasdair G Kergon Message-ID: <20181117002405.GF5291@agk-dp.fab.redhat.com> References: <20181115175718.GE5291@agk-dp.fab.redhat.com> <2a7f4f1fc1a54fd6eca7d7bc9a6249ae@cs.uni-dortmund.de> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <2a7f4f1fc1a54fd6eca7d7bc9a6249ae@cs.uni-dortmund.de> Subject: Re: [linux-lvm] lvcreate from a setuid-root binary Reply-To: LVM general discussion and development List-Id: LVM general discussion and development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , List-Id: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Christoph Pleger Cc: LVM general discussion and development On Fri, Nov 16, 2018 at 02:43:10PM +0100, Christoph Pleger wrote: > I get security by checking the real user id at the beginning of the > program and aborting the program if that uid does not belong to the only > user who is allowed to run the program. Sounds familiar. Shall I tell you one of those stories? I used a system where the sysadmin was worried that letting people run the setuid 'su' binary was too dangerous, so he wrote a wrapper around it to "improve" security. The wrapper checked you were in the admin group before letting you run the real 'su'. Of course anyone who understood how setuid works better than he did could now use the wrapper in numerous different ways to become root directly without a password. If you care about security find another solution that doesn't involve writing your own privileged code to be run under the control of an unprivileged user. Alasdair