Re: of bash and ...sbin/
> Date: Thu, 23 Mar 2000 08:48:47 +1100
> From: Craig Sanders <cas@taz.net.au>
> To: Jacob Kuntz <jake@megabite.net>
> Cc: Chad Miller <cmiller@surfsouth.com>, debian-devel@lists.debian.org
> Subject: Re: of bash and ...sbin/
>
> On Wed, Mar 22, 2000 at 11:50:10AM -0500, Jacob Kuntz wrote:
> > Chad Miller (cmiller@surfsouth.com) wrote:
> > >
> > > I like that debian's bash package has different paths for users
> > > and the superuser, but it's caused me to question ideas behind the
> > > placement of some programs in 'sbin' directories.
> > >
> > > For instance, a program joeuser uses often is 'traceroute' (which is
> > > in /usr/sbin). Other (questionable) ones might be /usr/sbin/fbset
> > > or /usr/sbin/lpc .
> >
> > not to mention ifconfig! having these utils in the non-root path
> > is hardly a security risk. if anything, this is just to keep down
> > helpdesk calls like "what does MAKEDEV do?" personally, since many of
> > these commands print out usefull, non-security-risking data, i don't
> > see any good reason to keep em out.
>
> we've had this flamewar before, only a few months ago.
>
> just add "/sbin:/usr/sbin:/usr/local/sbin" to your $PATH and be done
> with it. it only takes a few seconds (do it in /etc/profile if you want)
> and it doesn't risk breaking existing scripts.
>
> many scripts (both debian scripts and local sysadmin scripts) make use
> of ping, traceroute, ifconfig and others in the sbin directories. it is
> common practice to specify the full path to sbin binaries to avoid any
> potential problems with the PATH being different in different contexts
> (e.g. login shell vs cron environment vs su or sudo environment). moving
> these programs to different directories will break those scripts.
>
> the minimal benefit of moving them is greatly outweighed by the damage
> it would cause.
>
> in short, add the sbin directories to your PATH and move on.
Agreed (mostly). It is very important that Debian have things in the same
place as other Linux distros, and other common Unix flavours. Otherwise,
scripts from commercial software and other stuff that isn't always as
portable as it should be will be spuriously broken on Debian. Lets not not
go out of our way to lay traps for vendors who we are hoping will support
Debian GNU/*.
It seems to me that binary locations are one of those things that Unix is
stuck with, even though it would be nice if we could change them. What
should be done is to add /usr/sbin and /sbin to the PATH of ordinary mortal
users. There is no security issue here, since they could always add it
themselves if they actively wanted to cause harm. If you were setting up
restricted-shell accounts, you would need to change PATH anyway, since bash
is in the standard path, which kind of defeats the restricted shell, except
as an anti-cluelessness measure :)
OTOH, there are programs that could move. Programs which aren't in other
Unices, such as fbset, should maybe stay in /usr/sbin, since it's job is to
configure the machine. The FHS
(http://www.pathname.com/fhs/1.2/fsstnd-4.10.html) says that /usr/sbin has
daemons, non-essential administration tools, and binaries for non-critical
server programs. The "administrator" is not necessarily root, since
settings which any user can change can be administered by anyone. I'd call
changing screen settings, turning on DPMS on the console with setterm, or
stuff like that, counts as admining in my book. Therefore, these programs
are admin tools, but users should have /usr/sbin (and probably /sbin) in
their PATH, because they can usefully use these admin programs. (even for
stuff they're not allowed to change, they can get config info. It probably
doesn't help them to see this config info, but they can see it if they're
curious.) Everything that is more or less "administrative" should go in
/usr/sbin, which everyone should have in their PATH.
(oh yeah, did I mention that /usr/sbin should be the default PATH after you
install the base system. Oh, I think I did. hehe :)
One thing we should _not_ do is to have things in two places at once, with
symlinks. That just sucks, IMHO :)
--
#define X(x,y) x##y
DUPS Secretary ; http://is2.dal.ca/~dups/
Peter Cordes ; e-mail: X(peter@cordes.phys. , dal.ca)
"The gods confound the man who first found out how to distinguish the hours!
Confound him, too, who in this place set up a sundial, to cut and hack
my day so wretchedly into small pieces!" -- Plautus, 200 BCE
Reply to: