Hacker News new | ask | show | jobs
by pid-1 1324 days ago
You can sudo to other users besides root.

For installing things, you generally need write permissions to /usr/bin and likes. So you could create an user with such privileges and sudo to that.

The real issue, I think, is Linux not being capability based, so there's no programmatic way for scripts to communicate which sort of permissions are needed.
2 comments
user3939382 1324 days ago
> communicate which sort of permissions are needed

OpenBSD has something like this https://man.openbsd.org/pledge.2

link
unsafecast 1324 days ago
Unfortunately not. Pledge is _awesome_, but it's a different thing.

Pledge protects the system from buggy well-intentioned, cooperative software that could have bugs. What's needed is something that protects the system from ill-intentioned, uncooperative software.

link
unsafecast 1324 days ago
> buggy well-intentioned, cooperative software that could have bugs

Ugh, that's what I get for not reading before clicking submit...

link
BeefWellington 1324 days ago
SELinux was intended to address this very thing. It's a complex beast that people find too difficult to understand and thus usually it gets disabled.

I see this attitude in pentesting too on embedded systems. A developer encounters a problem they don't quite understand but the problem disappears when they run their app as root, so away we go.

link