On Wed, 2008-03-26 at 14:12 -0400, Bill Nottingham wrote:
> Will Woods (wwoods@redhat.com) said:
> > I actually created a Feature page after a discussion about this on
> > #fedora-devel earlier this week:
> >
> > http://fedoraproject.org/wiki/Features/SbinSanity
> >
> > I think it summarizes the problem and (one) proposed solution fairly
> > well. Feel free to expand/edit it..
> >
> > Comments?
>
> Just fix $PATH. It is much much simpler.

It's definitely simpler. And it's been the default in other distros
(e.g. Slackware, Gentoo, Ubuntu) going back at least a decade. It's also
the default in Mac OS X.

But it's not the default in Fedora, and I can't figure out why.

I wrote up the SbinSanity feature assuming that we had intentionally
changed *away* from having /sbin in the path fairly recently - like
during the Fedora Core days - and so someone must have had a damn good
reason to make that change. I assumed there was weeks of discussion
sitting in mailing list archives somewhere explaining the exact reasons
for the choice and making a very convincing argument for keeping them
separate.

Now that I do some research I see that /sbin has not been in the normal
PATH as far back as RHL9 and probably going back to RHL6 or earlier. I
think it's just Always Been Like That. So there's no discussion and no
convincing argument.

Therefore: I'm with notting. Let's add /sbin:/usr/sbin to the path for
normal users.

-w
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Le mercredi 26 mars 2008 à 12:39 -0500, Les Mikesell a écrit :
> Bill Nottingham wrote:
> > Jonathan Underwood (jonathan.underwood@gmail.com) said:
> >>> Why not simplify the world and put everything in /bin and /usr/bin,
> >>> making /sbin and /usr/sbin symlinks for backwards compatibility?
> >>> Whatever purpose someone thought the s- versions might have ever served
> >>> flies out the window when the the administrator and the only user are
> >>> one and the same person who is just confused by sometimes having
> >>> commands work and sometimes not.
> >> Seems entirely reasonable.
> >
> > Because it's changing 500 packages, and you can't do the replacement
> > sanely in RPM anyway.
>
> Why does a package need to know if a directory is a symlink or not
> unless it is the one that creates it?

Are we 100% sure there is no collision between /bin and /sbin contents
today ?

--
Nicolas Mailhot
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Will Woods wrote:



Now that I do some research I see that /sbin has not been in the normal
PATH as far back as RHL9 and probably going back to RHL6 or earlier. I
think it's just Always Been Like That. So there's no discussion and no
convincing argument.


I'm sure it was that way in RH6, probably 4 - and confusing people even
then.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Jesse Keating escribió:

On Tue, 2008-03-25 at 12:02 -0600, Gian Paolo Mureddu wrote:

but being as /sbin paths are
meant for administrative tasks, I actually do see having them as part of
a regular user's PATH a potential security risk.



That's completely bogus. A "hidden path" offers 0 security. If you
don't want your users running them, set the permissions on the binary,
or better yet, have the binary check the EUID of the caller. If
non-root, display that the command is for root users, but also allow the
user to get --help and other usage or informational output from the
command. Just don't allow non-root users to apply anything. There
really is no reason I can think of to hide this crap in a different
directory. It just adds needless complication and confusion.



Sarcastic disclaimer.

Why not install all binaries into /bin, /usr/bin, /usr/local/bin and be
done with it, then? Why EVEN have another path, anyway? Better yet, why
don't we follow Ubuntu and make sudo the default, make regular users
have admin rights! Why do we even need root? What's that? Geeze, I mean
why even keep an ancient file system layout?


--
Fedora-desktop-list mailing list
Fedora-desktop-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-desktop-list

"Jeff Spaleta" <jspaleta@gmail.com> writes:

> compared to the difficulty of making use of things like route as a user...
> what is the difficulty of editting the .bash_profile manually to extend
> the path?

It isn't really practical when you have several servers. Yet another
setting which needs to be applied on install (in kickstart) and
checked after upgrades.

Easier to just su - and run the commands.


/Benny


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Dnia 26-03-2008, śro o godzinie 22:31 +0100, Benny Amorsen pisze:
> "Jeff Spaleta" <jspaleta@gmail.com> writes:
>
> > compared to the difficulty of making use of things like route as a user...
> > what is the difficulty of editting the .bash_profile manually to extend
> > the path?
>
> It isn't really practical when you have several servers. Yet another
> setting which needs to be applied on install (in kickstart) and
> checked after upgrades.
>
> Easier to just su - and run the commands.

"su -" requires password.

[HERETIC]

With sudo you can omit password, by an option.

[/HERETIC]

--
Jakub 'Livio' Rusinek
http://liviopl.jogger.pl/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Jakub 'Livio' Rusinek wrote:

Dnia 26-03-2008, śro o godzinie 22:31 +0100, Benny Amorsen pisze:

"Jeff Spaleta" <jspaleta@gmail.com> writes:


compared to the difficulty of making use of things like route as a user...
what is the difficulty of editting the .bash_profile manually to extend
the path?

It isn't really practical when you have several servers. Yet another
setting which needs to be applied on install (in kickstart) and
checked after upgrades.

Easier to just su - and run the commands.


"su -" requires password.

[HERETIC]

With sudo you can omit password, by an option.

[/HERETIC]


Or you could let the first-added user run sudo commands with his own
password instead of having a usable root password as seems fashionable
these days. I hated that the first time I encountered it, but you just
have to get used to typing 'sudo su -' when you want to stay root for a
while.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Dnia 26-03-2008, śro o godzinie 17:04 -0500, Les Mikesell pisze:
> Jakub 'Livio' Rusinek wrote:
> > Dnia 26-03-2008, śro o godzinie 22:31 +0100, Benny Amorsen pisze:
> >> "Jeff Spaleta" <jspaleta@gmail.com> writes:
> >>
> >>> compared to the difficulty of making use of things like route as a user...
> >>> what is the difficulty of editting the .bash_profile manually to extend
> >>> the path?
> >> It isn't really practical when you have several servers. Yet another
> >> setting which needs to be applied on install (in kickstart) and
> >> checked after upgrades.
> >>
> >> Easier to just su - and run the commands.
> >
> > "su -" requires password.
> >
> > [HERETIC]
> >
> > With sudo you can omit password, by an option.
> >
> > [/HERETIC]
>
> Or you could let the first-added user run sudo commands with his own
> password instead of having a usable root password as seems fashionable
> these days. I hated that the first time I encountered it, but you just
> have to get used to typing 'sudo su -' when you want to stay root for a
> while.

[HERETIC]

It's more usable, if you have no password :> .

[/HERETIC]

--

Jakub 'Livio' Rusinek
http://liviopl.jogger.pl/

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, Mar 26, 2008 at 12:12 PM, Bill Nottingham <notting@redhat.com> wrote:
> Will Woods (wwoods@redhat.com) said:
> > I actually created a Feature page after a discussion about this on
> > #fedora-devel earlier this week:
> >
> > http://fedoraproject.org/wiki/Features/SbinSanity
> >
> > I think it summarizes the problem and (one) proposed solution fairly
> > well. Feel free to expand/edit it..
> >
> > Comments?
>
> Just fix $PATH. It is much much simpler.
>

Nah.. why take the simple way. In fact.. why have /bin and /usr/bin..
no one who counts really uses them as seperate things? We should just
have everything in one or the other. I mean put everything in /bin
that is executable. Create a /share and we don't really need /usr
anymore either.

And is this Friday on the memo or tech-list? ;P



--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, Mar 26, 2008 at 12:54 PM, Les Mikesell <lesmikesell@gmail.com> wrote:
> Will Woods wrote:
> >
> >
> > Now that I do some research I see that /sbin has not been in the normal
> > PATH as far back as RHL9 and probably going back to RHL6 or earlier. I
> > think it's just Always Been Like That. So there's no discussion and no
> > convincing argument.
>
> I'm sure it was that way in RH6, probably 4 - and confusing people even
> then.
>

The /sbin paths have never been in a normal user as far as I can tell
(from 3.0.3 days). The reason is that $(FOO)/sbin was meant to locate
system administrator specific commands versus normal user commands.
This is from the System VII days I think. On some systems a system
administrator could make sure that these commands could not be
executed by normals with a simple:

chmod 0750 /sbin /usr/sbin

with only people in the specific wheel or in the root group able to
get there. This would lock down setuid programs.


--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list