On Thu, Jul 03, 2003 at 02:59:35PM -0400, Gene Heskett wrote: > On Thursday 03 July 2003 13:21, Eric Siegerman wrote: > >On Thu, Jul 03, 2003 at 12:40:35PM -0400, Jon LaBadie wrote: > >> Most people build the software as the amanda_user. > > > >Why? I just built it under my own account, and everything went > >ok. (I did the "make install" as root of course.) > > Which if you follow that to its logical conclusion means that because > you must then be a member of the group disk or backup, your default > account will have virtually root perms.
No. My personal account is NOT a member of the disk/operator/backup/whatever group. Amanda doesn't *run* as me; I did the usual -- created an "amanda" account and configured the package with: --with-user=amanda --with-group=<system-dependent-value> My only question was why people find it useful to "configure --many-options; make" Amanda as that user, instead of as themselves. > Most of us would rather not have your own user accounts so exposed, Indeed. Myself emphatically included. Ok, my "make install" as root is a hole, I admit, but a pretty typical one. (Don't get me started on the topic of GNU packages' and automake's inscrutable, unauditable "make -n" logs!) Hmm, maybe your point is that by doing the whole thing as "amanda" you can avoid becoming root for the "make install" (after the first time on a given box, of course, when some directories might need to be created and chown'ed). But that only works because Amanda conflates "the user under which I run" with "the user that owns my files", which is a security problem in itself. In fact, that's one of my pet peeves; Amanda should *not* have write permission on its own files -- or be able to acquire it, i.e. "chmod a-w" doesn't suffice. "Least privilege" and all that. (I don't know how an attacker could use the write permission that Amanda now has, but it's prudent to start off by assuming, until convinced otherwise, that there exists a way to use it.) -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. [EMAIL PROTECTED] | | / When I came back around from the dark side, there in front of me would be the landing area where the crew was, and the Earth, all in the view of my window. I couldn't help but think that there in front of me was all of humanity, except me. - Michael Collins, Apollo 11 Command Module Pilot