Why does slibclean require root? - Aix

This is a discussion on Why does slibclean require root? - Aix ; Just out of curiosity, why does slibclean require root? It's been suggested in this forum before to make it setuid. Is that a potential security problem? If not, why isn't that the default?...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Why does slibclean require root?

  1. Why does slibclean require root?

    Just out of curiosity, why does slibclean require root? It's been
    suggested in this forum before to make it setuid. Is that a potential
    security problem? If not, why isn't that the default?


  2. Re: Why does slibclean require root?

    hobie744 writes:

    > Just out of curiosity, why does slibclean require root?


    Because it affects the *whole* system, and not just the user
    running it.

    > It's been suggested in this forum before to make it setuid.


    This is usually needed on development machines -- you build shared
    object, run executable using it, detect a bug, and must run slibclean
    to remove the buggy shared object from memory.

    A nicer solution for the same problem is to make the shared object
    non-readable to "other". In that case, it is always loaded into
    "private segment" and unloaded on program exit. No slibclean
    is needed.

    > Is that a potential security problem?


    A user running 'while : ; do slibclean; done' can make the whole
    machine crawl, without exceeding his CPU quota.

    Cheers,
    --
    In order to understand recursion you must first understand recursion.
    Remove /-nsp/ for email.

  3. Re: Why does slibclean require root?

    Paul Pluzhnikov wrote:
    > hobie744 writes:
    >
    >> Just out of curiosity, why does slibclean require root?

    >
    > Because it affects the *whole* system, and not just the user
    > running it.
    >
    >> It's been suggested in this forum before to make it setuid.

    >
    > This is usually needed on development machines -- you build shared
    > object, run executable using it, detect a bug, and must run slibclean
    > to remove the buggy shared object from memory.
    >
    > A nicer solution for the same problem is to make the shared object
    > non-readable to "other". In that case, it is always loaded into
    > "private segment" and unloaded on program exit. No slibclean
    > is needed.
    >
    >> Is that a potential security problem?

    >
    > A user running 'while : ; do slibclean; done' can make the whole
    > machine crawl, without exceeding his CPU quota.
    >
    > Cheers,


    Siebel recommends that it be setuid for all users. I did this
    begrudgingly to check off a possible problem during installation. Guess
    this means that they need it to run to compensate for their skunky code!
    ;-)

  4. Re: Why does slibclean require root?

    On May 21, 4:39 pm, 0xDEADABE wrote:
    > Paul Pluzhnikov wrote:
    > > hobie744 writes:

    >
    > >> Just out of curiosity, why does slibclean require root?

    >
    > > Because it affects the *whole* system, and not just the user
    > > running it.

    >
    > >> It's been suggested in this forum before to make it setuid.

    >
    > > This is usually needed on development machines -- you build shared
    > > object, run executable using it, detect a bug, and must run slibclean
    > > to remove the buggy shared object from memory.

    >
    > > A nicer solution for the same problem is to make the shared object
    > > non-readable to "other". In that case, it is always loaded into
    > > "private segment" and unloaded on program exit. No slibclean
    > > is needed.

    >
    > >> Is that a potential security problem?

    >
    > > A user running 'while : ; do slibclean; done' can make the whole
    > > machine crawl, without exceeding his CPU quota.

    >
    > > Cheers,

    >
    > Siebel recommends that it be setuid for all users. I did this
    > begrudgingly to check off a possible problem during installation. Guess
    > this means that they need it to run to compensate for their skunky code!
    > ;-)


    What about using 'sudo' rather than suid? You would then be able to
    allow use of it to users who truly need it.

    HTH,
    Pete's


+ Reply to Thread