Re: Root usage and applications

• Previous message: Tomasz Nidecki: "Re: Sender Spoofing via SMTP"
• In reply to: Keenan Smith: "Root usage and applications"
• Next in thread: Kain, Becki (B.): "RE: Root usage and applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Keenan Smith <kc_smith@clark.net>
Date: Wed, 16 Nov 2005 10:43:11 +0000

On Fri, 2005-11-11 at 10:35 -0500, Keenan Smith wrote:

> Since an application like OpenView is required to be available from
> every node in a network, running it as root seems to me like a pretty
> big vulnerability, if someone were to identify a hole and exploit it.
>

To begin with we have Precedent:

http://www.ngssoftware.com/advisories/hpovrma.txt
http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138

So this is not a "what if" situation.

> As a long-time application developer, I've found that requiring root
> access usually means that the developer is lazy or at best, following
> bad programming practices.

Absolutely, much of this perpetuated by the OS, but no doubt it's the
ISV's responsibility.

> In general, what does the collective wisdom of the group say about
> something like this?

Can't speak for everyone else, but generally I'd say least privilege is
accepted as a base standard for good application development,
disregarding it is a major failing.

> Does any application require root access? A firewall? A network
> management tool? An authorization/authentication server?

Most OS's let you control access to resources enough that this is not a
requirement, there are a few occaisons when it is required, but it's a
trade of between development time and security. I don't think trades of
base principles such as this are acceptable, if they can possibly be
avoided.

> And if it does, is it "really" required or is the requirement a result
> of developers who don't want to or were not given the time to properly
> code and configure the application to run as a user other than root?

Usually, it's the "not given" but there is a lot of "don't want" in
there too in my opinion.

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue
"He who hingeth aboot, geteth hee-haw" Victor - Still Game
blog:  http://reboot-robot.net
sites: http://www.bsrf.org.uk - http://www.security-forums.com
ca:    https://www.cacert.org/index.php?id=3

• application/x-pkcs7-signature attachment: smime.p7s

• Previous message: Tomasz Nidecki: "Re: Sender Spoofing via SMTP"
• In reply to: Keenan Smith: "Root usage and applications"
• Next in thread: Kain, Becki (B.): "RE: Root usage and applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: I am sick of racistic Christians ... were a very severe obstacle to any such trade. ... root cause of all the conflicts between the two societies? ... (soc.religion.christian) Re: NBC: RIP Peter Jennings ... >> to root for just did a big trade; ... Seems to be this guy's standard reply to a RIP post. ... Prev by Date: ... (rec.music.artists.springsteen) Re: OT: What are Iran hoping to gain? ... one of my business partners knew Carter and his daughter. ... As always the root of the problem lies in trade. ... (uk.rec.motorcycles) Re: NBC: RIP Peter Jennings ... > to root for just did a big trade; ... Prev by Date: ... (rec.music.artists.springsteen)