Why is it a security problem to have /usr/sbin owned by bin?

The Sendmail Installation and Operation Guide ( § 1.3.1) insists:

For security factors,/,/ usr, and also/ usr/sbin needs to be possessed by origin, setting 0755 2¢ [ ] ¢ 2Some suppliers deliver them possessed by container ; this develops a security opening that is not in fact pertaining to sendmail . [ ]

Why is this a security opening? Exist systems that run procedures as customer container?

2022-06-07 14:30:58
Source Share
Answers: 1

Disregarding the "group" and also "other" approvals, something being possessed by root suggests just origin has complete control over the file/directory.

Something being possessed by an additional customer suggests that customer along with origin has complete control over that documents. Currently you have 2 entities that have complete control over that file/directory, whereas prior to you just had one.

This is specifically negative for executables positioned in the typical areas as various other customers on the system might call it, and also the owning customer can change the executable at his/her will, perhaps utilizing it for destructive methods. With any luck on this system the customer "bin" is protected against from visiting interactively using a null covering or comparable in /etc/passwd. I'm wagering this is done to enable a plan supervisor to not need to run as origin. This in of itself possibly brings various other advantages.

Nonetheless, so the directory site/ usr/sbin is possessed by container, and also not executables within, after that it is not as negative.

2022-06-07 14:46:24