pam_group (Was: ubuntu-xxx ....)
Matt Zimmerman
mdz at ubuntu.com
Fri Apr 1 08:45:50 CST 2005
On Fri, Apr 01, 2005 at 09:09:20AM +0200, Timo Aaltonen wrote:
> If I undestand this correctly, it mean that if a user has logged in
> locally and got access to those groups, it has the same access when logged
> in later (via ssh for example)? I've tested this and it is not the case;
> the user does not get in those groups, even if he/she is logged in locally
> at the same time.
No, it means that the user can hold onto those permissions after they logout
locally, and use them from anywhere.
> >Log in locally:
> >
> >cp /bin/sh $HOME
> >chgrp plugdev $HOME/sh
> >chmod g+s $HOME/sh
> >
> >You now have a setgid plugdev shell that you can use anytime you want
> >permissions of that group.
>
> true, if your home is on the local disk, or if the admins have gone
> bonkers. The documentation says that every file system where the user has
> write access should be mounted with 'nosuid' -option, which is usually (I
> think) the case at least on NFS-mounts. /tmp and such is another story,
> though.
That's only one example. It would also be possible to leave a process
running, or a number of other persistent resources and continue to use the
privileges later.
Trust us, this is not as simple as it might appear, and new kernel
functionality is required in order to provide the semantics that you want.
--
- mdz
More information about the ubuntu-devel
mailing list