undefined | Better HN

0 pointsLASR6y ago0 comments

Why not?

Modifying system hosts configuration requires privileged file system access.

The mindset here should be default deny.

0 comments

Yep, finding and modifying a script that runs with root privileges, but is writable by non-root users is the oldest privesc trick in the book.

With the proper permissions something like this should be ok, but I'd tread lightly. Especially with something that dynamically updates your hosts file.

anned206y ago

It won't be able to run if the user that is running it doesn't have the proper privileges. You could even protect the files by giving them other permissions so only the root user can use them.

sh-run6y ago

Above you mentioned setting this up as a scheduled job. In this case the job would need to run as root (or you'd need to assign the appropriate permissions in the sudoers file, but people are lazy). If a non-root user had write privileges to the file, they could modify the script and thereby gain root code execution.

Naturally it's on the user to properly configure the permissions.

I'm not saying this isn't a worthy project, I'm just adding to the discussion on why people should be cautious when running scripts with root permissions.

j / k navigate · click thread line to collapse

0 comments

sh-run6y ago

Yep, finding and modifying a script that runs with root privileges, but is writable by non-root users is the oldest privesc trick in the book.

With the proper permissions something like this should be ok, but I'd tread lightly. Especially with something that dynamically updates your hosts file.

anned206y ago

It won't be able to run if the user that is running it doesn't have the proper privileges. You could even protect the files by giving them other permissions so only the root user can use them.

sh-run6y ago

Naturally it's on the user to properly configure the permissions.

I'm not saying this isn't a worthy project, I'm just adding to the discussion on why people should be cautious when running scripts with root permissions.

j / k navigate · click thread line to collapse