OpenSuse 11.1 security issue "ip" - exec. by others

I don’t know how on OpenSuse 11.2, but I found out that on my 11.1 kernel 2.6.27.42-0.1 command “ip” and everything else belongs to it, can be executed by everyone.

I don’t thing it is really good idea.

Please check this.

Thanks.

On Mon, 2010-01-25 at 18:26 +0000, nimnull22 wrote:
> I don’t know how on OpenSuse 11.2, but I found out that on my 11.1
> kernel 2.6.27.42-0.1 command “ip” and everything else belongs to it, can
> be executed by everyone.

It executes with no privs… I guess it could be viewed harmful
if information is harmful? But you know, you could always execute
/sbin/ifconfig as well as a normal user.

>
> I don’t thing it is really good idea.

AFAIK, it’s not harmful… unless seeing your IP address, etc, is
considered harmful.

Ok. Thanks. I will change attributes, and also for “route” and others.

I don’t understand, if network utilities can be executed by anyone even GUEST, what kind of SECURITY developers are talking about - guest can change IP, routing…

It is just one big hole.

Thanks.

They can only SEE things, they can not CHANGE anything.

I do not think that after so many years of this behaviour in Unix/Linux you can now accuse all those ‘developers’ of neglecting security.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wait, can you as normal user change the configuration of the system
using it???


VampirD
No in elenath hîlar nan hâd gîn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkteGM8ACgkQJQ+0ABWtaVlI9QCeIJ7U1PgaG1m3CRzWKjceU95H
atQAoLAn408hetVS4gzy2CL6/6mLxvHe
=vnki
-----END PGP SIGNATURE-----

No, normal user can’t change:

ip addr add 192.168.2.20/32 dev eth0
RTNETLINK answers: Operation not permitted

/sbin/ifconfig eth0 down
SIOCSIFFLAGS: Permission denied

So, system can’t be tweaked.

I’m happy. but anyway I will change file attributes.

Everyone thanks.

You may run into trouble doing that many programs need to read the files under the user credentials.So some programs may not run if you suddenly make their config files unreadable for a user.

But you live and you learn by doing dumb things :wink:

You are welcome in spite of the fact that you did not realy understand the impact of my answer.

You better do not change those setting. There is more then 20 years of experience flown into them. When you think in a brink of time that you can invent a better way of doing these things you are very likely to run in difficulties as gogalthorp warns you. Even a much needed and asap to be done security update may give you a headache.

I suppose it could be worse, like the guy who though that mode 666 on /dev/null was a mistake and changed it.

:stuck_out_tongue: :X and all that kind.