They confed /etc/sudoers so that the perforce user can run everything as root without providing a password. I told them that this is really a bad idea, and they pulled up one of their setup guides with "enhanced security hardening".
It ended up with ~35 specific entries for binaries in sudoers, one of them being /usr/sbin/setcap - which allows you to give e.g. the Python interpreter CAP_SETUID, making a privilege escalation to root trivial again.
Package managers are way more modern than that and their design does by itself not require root (see pip). You can in fact run most package managers without root, you just won't be able to modify system files. You can use them to install a chroot as regular user, e.g. `zypper --installroot ~/tw install bash`.
FUSE doesn't really relate to single vs. multi-user AFAICT.
Users are perfectly sandboxed if you configure the system that way. Depending on the distribution that's even the default.
On succifiently offline systems, you can still run software like that. It's quite freeing to have a server with 777 on your home directory when the biggest problem it'll cause is someone pranking you by altering your terminal color scheme to something hideous.
The authors of Unix have taken most of the concepts of an hierarchical file system from Multics, the main exception being the security features, which have been replaced with the simpler owner-group-all permission bits, together with features like setuid/setgid, which may be OK for simple use cases but which is inadequate for a system with many users, where not all of them can be trusted.
When I was working for a major retailer, who, you'd assume would have thought about these things well enough, you were prevented from executing sudo, except for being able to use it for text editing (sudo vi). I needed to install some packages with a root shell at the time, so I used the command execution feature within vi to get that.
Of course there was nothing else in the UI except this window and the browser, but on ancient Firefox, in the print window you had the option to specify the command line to print. I tried "xterm", hit "Print", and voila, a prompt!
Using ps, I managed to figure out the difference between the unpaid browser and the paid one, and next time around I could launch a browsing session without payment...
We all knew it was a bad idea but when your boss and their boss say do it, it’s done.
I’m pretty sure the dba (autocorrect magically suggested “diva” here) knew as well and just wanted a backdoor to have root for whatever they wanted.
I later busted the same team applying patches out of band with tripwire. Hey, wonder how you pulled that off…
OMG. they applied unapproved patches! to the product they were responsible for making work.
We used to be a real society
I fear that this reference to an old Avis advertising slogan may be lost to a modern audience.
1984 was 40 years ago.
Do organization still apply for these kind of patents?
the engineer gets his name on the patent and maybe a bit of prestige. the org gets another (sometimes bad) patent in the portfolio.
skimming the patent https://patents.google.com/patent/US4135240A/en it seems actually pretty well drafted and pretty good (patentable).
