Security Basics mailing list archives
Re: Root usage and applications
From: Barrie Dempster <barrie () reboot-robot net>
Date: Wed, 16 Nov 2005 10:43:11 +0000
On Fri, 2005-11-11 at 10:35 -0500, Keenan Smith wrote:
Since an application like OpenView is required to be available from every node in a network, running it as root seems to me like a pretty big vulnerability, if someone were to identify a hole and exploit it.
To begin with we have Precedent: http://www.ngssoftware.com/advisories/hpovrma.txt http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138 So this is not a "what if" situation.
As a long-time application developer, I've found that requiring root access usually means that the developer is lazy or at best, following bad programming practices.
Absolutely, much of this perpetuated by the OS, but no doubt it's the ISV's responsibility.
In general, what does the collective wisdom of the group say about something like this?
Can't speak for everyone else, but generally I'd say least privilege is accepted as a base standard for good application development, disregarding it is a major failing.
Does any application require root access? A firewall? A network management tool? An authorization/authentication server?
Most OS's let you control access to resources enough that this is not a requirement, there are a few occaisons when it is required, but it's a trade of between development time and security. I don't think trades of base principles such as this are acceptable, if they can possibly be avoided.
And if it does, is it "really" required or is the requirement a result of developers who don't want to or were not given the time to properly code and configure the application to run as a user other than root?
Usually, it's the "not given" but there is a lot of "don't want" in there too in my opinion. -- With Regards.. Barrie Dempster (zeedo) - Fortiter et Strenue "He who hingeth aboot, geteth hee-haw" Victor - Still Game blog: http://reboot-robot.net sites: http://www.bsrf.org.uk - http://www.security-forums.com ca: https://www.cacert.org/index.php?id=3
Attachment:
smime.p7s
Description:
Current thread:
- Are there any pocketable Hardware Password Vaults CK (Nov 09)
- Re: Are there any pocketable Hardware Password Vaults Andre Ludwig (Nov 10)
- Re: Are there any pocketable Hardware Password Vaults Raoul Armfield (Nov 15)
- Root usage and applications Keenan Smith (Nov 15)
- Re: Root usage and applications Barrie Dempster (Nov 16)
- RE: Are there any pocketable Hardware Password Vaults Jon Gucinski (Nov 10)
- RE: Are there any pocketable Hardware Password Vaults Mike Harlan (Nov 15)
- Re: Are there any pocketable Hardware Password Vaults Steven Meyer (Nov 10)
- Re: Are there any pocketable Hardware Password Vaults Kaushik (Nov 10)
- Re: Are there any pocketable Hardware Password Vaults Eric Udell (Nov 15)
- <Possible follow-ups>
- Re: Are there any pocketable Hardware Password Vaults felix . oxley (Nov 15)
- Re: Are there any pocketable Hardware Password Vaults Pranav Lal (Nov 16)
- Re: Are there any pocketable Hardware Password Vaults Diarmaid McManus (Nov 21)
- Re: Are there any pocketable Hardware Password Vaults Atom Smasher (Nov 28)
- Re: Are there any pocketable Hardware Password Vaults Pranav Lal (Nov 16)
- Re: Are there any pocketable Hardware Password Vaults Andre Ludwig (Nov 10)