From owner-freebsd-stable Wed Apr 15 20:44:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id UAA17528 for freebsd-stable-outgoing; Wed, 15 Apr 1998 20:44:23 -0700 (PDT) (envelope-from owner-freebsd-stable@FreeBSD.ORG) Received: from whizzo.TransSys.COM (whizzo.TransSys.COM [144.202.42.10]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA17318; Wed, 15 Apr 1998 20:43:54 -0700 (PDT) (envelope-from louie@whizzo.TransSys.COM) Received: from whizzo.TransSys.COM (localhost.transsys.com [127.0.0.1]) by whizzo.TransSys.COM (8.8.8/8.7.3) with ESMTP id XAA06049; Wed, 15 Apr 1998 23:43:25 -0400 (EDT) Message-Id: <199804160343.XAA06049@whizzo.TransSys.COM> X-Mailer: exmh version 2.0.1 12/23/97 To: dima@best.net cc: tsprad@set.spradley.tmi.net (Ted Spradley), trost@cloud.rain.com, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: "Louis A. Mamakos" Subject: Re: kernel permissions References: <199804151949.MAA02749@burka.rdy.com> In-reply-to: Your message of "Wed, 15 Apr 1998 12:49:27 PDT." <199804151949.MAA02749@burka.rdy.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 15 Apr 1998 23:43:24 -0400 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk > Ted Spradley writes: > > > > > > As for the world read permissions: Removing the read permissions seems > > > > like a gratuitious pseudo-security change. Is there any reason to > > > > prevent users from reading the kernel? Presumably, /usr/src/sys is > > > > > > In some case I don't want my users to read a kernel name list. > > > > > > > readable anyhow, so a person could build their own kernel with the same > > > > configuration, so they may as well just copy the running one. > > > > > > You do not always have /usr/src/sys on your machine. Especially > > > on a production enviroment. > > > > You can change the permissions any way you like on your machine. Users who are knowledgeable enough to worry about know where they can find the sources. To me, this is just gratuitous change for the sake of change. > One more time. In some cases you don't want your users to read kernel > namelist. Generic kernel source code won't help. So, chmod 440 /kernel on *your* system. And how many cases are there where other programs installed on the system need to read the kernel namelist? You'll break those by making a change in the distribution. > Another example. Do search on your local box for all the programs, that > don't allow 'others' to read the binary. Ever wonder why? Hmm.. I found exactly 1 - suidperl. This is hardly a compelling argument to change a well established convention. I don't dispute the utility to some for changing the permissions on the /kernel file, but it's just not clear this is a universally good idea. Next thing you know, you'll want to chmod 440 /etc/rc.conf :-) louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message