Date: Wed, 15 Apr 1998 23:43:24 -0400 From: "Louis A. Mamakos" <louie@TransSys.COM> To: dima@best.net Cc: tsprad@set.spradley.tmi.net (Ted Spradley), trost@cloud.rain.com, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <199804160343.XAA06049@whizzo.TransSys.COM> In-Reply-To: Your message of "Wed, 15 Apr 1998 12:49:27 PDT." <199804151949.MAA02749@burka.rdy.com> References: <199804151949.MAA02749@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> Ted Spradley writes: > > > > > > As for the world read permissions: Removing the read permissions seems > > > > like a gratuitious pseudo-security change. Is there any reason to > > > > prevent users from reading the kernel? Presumably, /usr/src/sys is > > > > > > In some case I don't want my users to read a kernel name list. > > > > > > > readable anyhow, so a person could build their own kernel with the same > > > > configuration, so they may as well just copy the running one. > > > > > > You do not always have /usr/src/sys on your machine. Especially > > > on a production enviroment. > > > > You can change the permissions any way you like on your machine. Users who are knowledgeable enough to worry about know where they can find the sources. To me, this is just gratuitous change for the sake of change. > One more time. In some cases you don't want your users to read kernel > namelist. Generic kernel source code won't help. So, chmod 440 /kernel on *your* system. And how many cases are there where other programs installed on the system need to read the kernel namelist? You'll break those by making a change in the distribution. > Another example. Do search on your local box for all the programs, that > don't allow 'others' to read the binary. Ever wonder why? Hmm.. I found exactly 1 - suidperl. This is hardly a compelling argument to change a well established convention. I don't dispute the utility to some for changing the permissions on the /kernel file, but it's just not clear this is a universally good idea. Next thing you know, you'll want to chmod 440 /etc/rc.conf :-) louie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804160343.XAA06049>