[sheepdog-users] dog located in /usr/sbin, but executable by other

[Marcin Mirosław]

W dniu 24.11.2014 o 13:05, Valerio Pachera pisze:
> 2014-11-23 10:43 GMT+01:00 Fabian Zimmermann <dev.faz at gmail.com>:
>> So if this is a feature, I would assume dog in /usr/bin, but if this is
>> a bug chmod o-x should be done, isn't it?
> 
> 
> Hi Fabian, I asked about the same question time ago.
> The answer I got was:
>> Sheepdog has no ACL for users.  If you can run dog, you can issue the command.
> 
> The issue is there but I don't think it's packaging related and here's why:
> 
> if you look at all file in /usr/sbin their permission are 755
> (I'm sepaking of a standard debian installation).
> Also /sbin is the same.
> As normal user, if you run 'ifconfig' it doesn't work because it's not
> in the user's path.
> If you run /sbin/ifconfig, it prints its output.
> If you try to add and ip as normal user by /sbin/ifconfig, it will
> print an error like 'operation not permitted'.
> So it's ifconfig checking if you are super user and choose what you
> are allows to do.
> 
> I also reported a bug about this, because I think there should be some
> think a normal user can do, and other that can't (alike ifconfig).
> https://bugs.launchpad.net/sheepdog-project/+bug/1335151
> 
> As of now, you better chmod o-x /usr/sbin/dog.

Hi!
But still user can run it:
/lib/libc.so.6 /usr/sbin/dog
A little better way is `chmod o-a /usr/sbin/dog` but it doesn't help if
user use own binary and connect to sheep. With ifconfig is a little
diffrent story, even when ifconfig allow normal user to change network
configuration there is kernel protection. Kernel will reject such change
if it's not made by super user.
As far I can see sheepdog isn't created with security in mind. So
securing sheepdog cluster is a little problematic task.

Marcin