[sheepdog-users] dog located in /usr/sbin, but executable by other

Vasiliy Tolstov v.tolstov at selfip.ru
Mon Nov 24 13:43:17 CET 2014

2014-11-24 15:41 GMT+03:00 Marcin Mirosław <marcin at mejor.pl>:
> Hi!
> But still user can run it:
> /lib/libc.so.6 /usr/sbin/dog
> A little better way is `chmod o-a /usr/sbin/dog` but it doesn't help if
> user use own binary and connect to sheep. With ifconfig is a little
> diffrent story, even when ifconfig allow normal user to change network
> configuration there is kernel protection. Kernel will reject such change
> if it's not made by super user.
> As far I can see sheepdog isn't created with security in mind. So
> securing sheepdog cluster is a little problematic task.

Why not check uid/euid and deny all? Or more elegant - check CAP, and
allow all that have needed CAPS ?

Vasiliy Tolstov,
e-mail: v.tolstov at selfip.ru
jabber: vase at selfip.ru

More information about the sheepdog-users mailing list