From: Alan McKinnon <alan.mckinnon@gmail.com>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Requirements for UID/GID management
Date: Mon, 30 Jan 2017 00:30:06 +0200 [thread overview]
Message-ID: <616a4068-8581-bce6-3359-50b1ff5a817d@gmail.com> (raw)
In-Reply-To: <495556ab-637c-6b21-fac0-52d3bd1e4986@gentoo.org>
On 30/01/2017 00:20, Michael Orlitzky wrote:
> On 01/29/2017 05:07 PM, Alan McKinnon wrote:
>>
>> Sure it can be done, just don't chown -R <user> ~user. DO it the VERY
>> long way round, file by file. Say you changed user "awesome" uid 300 to 400:
>>
>> find / -uid 300 -exec chown awesome {} \+
>>
>
> That will find symlinks created by UID 300, and chown will follow them
> to give "awesome" ownership of the TARGET of the symlink; an easy root
> exploit. If you are about to suggest "find -type f" or the
> "--no-dereference" flag, then beware that chown will also follow
> hardlinks and you're still screwed (albeit limited to one filesystem,
> and on vanilla kernels).
>
>
Good catch with symlinks.
I don't see the point about hardlinks, they are just files with 2
dentries. When find gets to the second one it's already changed, so no
problem.
But I'm sure there are plenty edge case scenarios that make this whole
process go awry, all pointing to the same conclusion:
As a dev you shouldn't even try. Let the sysadmin deal with it.
If a system user already has a UID different to the published standard,
leave it alone, it's a human's problem
--
Alan McKinnon
alan.mckinnon@gmail.com
next prev parent reply other threads:[~2017-01-29 22:32 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-27 17:54 [gentoo-dev] Requirements for UID/GID management Michael Orlitzky
2017-01-27 18:19 ` Alexis Ballier
2017-01-27 18:52 ` Rich Freeman
2017-01-27 19:35 ` Michael Orlitzky
2017-01-27 19:53 ` Rich Freeman
2017-01-27 20:09 ` Michael Orlitzky
2017-01-27 21:23 ` Rich Freeman
2017-01-28 3:02 ` [gentoo-dev] " Duncan
2017-01-28 2:37 ` [gentoo-dev] " Patrick McLean
2017-01-28 3:20 ` Michael Orlitzky
2017-01-28 4:21 ` Rich Freeman
2017-01-29 1:56 ` Michael Orlitzky
2017-01-29 2:22 ` Rich Freeman
2017-01-29 2:48 ` Michael Orlitzky
2017-01-29 2:54 ` Michael Orlitzky
2017-01-29 3:23 ` Gordon Pettey
2017-01-29 3:36 ` M. J. Everitt
2017-01-29 3:42 ` Michael Orlitzky
2017-01-29 10:03 ` Ulrich Mueller
2017-01-29 11:16 ` Michał Górny
2017-01-29 17:19 ` Michael Orlitzky
2017-01-29 3:05 ` M. J. Everitt
2017-01-29 8:26 ` Alan McKinnon
2017-01-29 17:05 ` Michael Orlitzky
2017-01-29 17:22 ` A. Wilcox
2017-01-29 19:31 ` james
2017-01-29 22:07 ` Alan McKinnon
2017-01-29 22:20 ` Michael Orlitzky
2017-01-29 22:30 ` Alan McKinnon [this message]
2017-01-29 23:04 ` Michael Orlitzky
2017-01-30 14:25 ` Alan McKinnon
2017-01-30 16:29 ` Michael Orlitzky
2017-01-30 18:05 ` Patrick McLean
2017-01-30 18:22 ` Michael Orlitzky
2017-01-30 18:43 ` Kristian Fiskerstrand
2017-02-03 14:51 ` [gentoo-dev] " Martin Vaeth
2017-02-03 19:29 ` Michael Orlitzky
2017-02-04 8:50 ` Christopher Head
2017-02-04 15:02 ` Michael Orlitzky
2017-02-04 18:03 ` Martin Vaeth
2017-01-28 11:28 ` [gentoo-dev] " James Le Cuirot
2017-01-28 22:54 ` Patrick McLean
2017-01-28 18:13 ` A. Wilcox
2017-01-28 19:32 ` James Le Cuirot
2017-01-28 20:34 ` Rich Freeman
2017-01-28 21:29 ` James Le Cuirot
2017-01-29 17:16 ` A. Wilcox
2017-01-29 17:34 ` James Le Cuirot
2017-01-27 19:45 ` Gregory Woodbury
2017-01-28 11:32 ` Tom H
2017-01-27 21:15 ` Michał Górny
2017-01-28 0:10 ` Michael Orlitzky
2017-01-29 22:13 ` Michael Orlitzky
2017-01-29 23:34 ` Ulrich Mueller
2017-01-29 23:45 ` Michael Orlitzky
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=616a4068-8581-bce6-3359-50b1ff5a817d@gmail.com \
--to=alan.mckinnon@gmail.com \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox