[GTALUG] Adding all users to the "disk" group: bad idea, or terrible idea?
Lennart Sorensen
lsorense at csclub.uwaterloo.ca
Thu Feb 20 16:57:30 EST 2020
On Thu, Feb 20, 2020 at 04:11:47PM -0500, Chris Tyler via talk wrote:
> Stewart, I'm having troubles understanding the author's reply to the SGID
> suggestion. What I was proposing was to set things up with a command like
> this (executed just once):
>
> BINARY=/path/to/binary ; sudo chmod 02711 $BINARY ; sudo chown root:disk
> $BINARY
>
> ...Which would mean that the user would have their effective group ID
> changed to 'disk' only while the binary was running. This means that,
> during program execution, it would be have the same level of access as if
> the user belonged to the 'disk' group; however, this would drop back to
> their previous group membership when the binary exited. As a bonus, you
> don't have to change the system group memberships. (The program in question
> should, of course, guard against writing to the wrong device while it's
> running, and prevent shell-outs).
It also means any user running the program has that access, not just
users in group disk. That may be considered better or worse.
I suppose the program could check that the user belongs to some other
group meant for this program, but then it gets even more complicated.
--
Len Sorensen
More information about the talk
mailing list