Date: Sat, 30 Mar 2002 04:10:52 -0500 From: "Peter C. Lai" <sirmoo@cowbert.2y.net> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: Jason Stone <jason-fbsd-security@shalott.net>, security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020330041052.C67123@cowbert.2y.net> In-Reply-To: <20020328174304.L97841@blossom.cjclark.org>; from cjc@FreeBSD.ORG on Thu, Mar 28, 2002 at 05:43:04PM -0800 References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Can we at least have the option of being able to either 1. not build at all or 2. not setuid on stuff that should never be used (such as rlogin, rsh, rcp) on modern networks Similarly, very few people use sliplogin (or SLIP at all) or UUCP nowadays and finally, some installations don't require yp*. I found out that I can use yp* to grab the shadow password file from a solaris server on the network. I don't want that to happen if someone got to my box. (Needless to say, I don't use NIS to authenticate for anything on this segment). I know you can turn off building stuff like lp*, sendmail, and bind tools. On Thu, Mar 28, 2002 at 05:43:04PM -0800, Crist J. Clark wrote: > On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > > > Are there make variables that can be set to prevent "make world" from > > > > installing binaries as setuid? Currently, I always run something like > > > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > > > > seems inelegant, prone to human error, and dangerous as there's a > > > > (potentially quite long) period in which there are still many setuid > > > > binaries.... > > > > > > > > make options to allow the prevention of "setuid root", "all setuid", > > > > or "all setuid and all setgid" would be nice. > > > > > > For the vast majority of users, having no setuid binaries is a really, > > > really bad idea from a security standpoint. It forces you to do > > > everything as root. > > > > 1) For server machines that have no non-root interactive users, the > > "no setuid or setgid at all" option is a very good idea. > > Some sites may use this policy, but I would never like it. It requires > direct logins as root. > > > 2) Even on machines that do have interactive users, there are many > > environments where it's possible to turn off most of the setuid root > > bits - I see no reason to let users on a shared machine run ping or > > traceroute, rsh/rlogin should never be used at all, I can get away with > > not providing crontab, most servers don't have printers attached and > > therefore have no use for lpr, etc. > > passwd(1), at(1), crontab(1), login(1), su(1), some or most of those > would be required for almost any multiuser installation. > > > So, given that there's decidedly some utility in doing this, is there any > > reason to not do so? > > <insert the ususal arguments against rampant featurism here> > <insert the ususal comparison to M$ OS featurism to needlessly incite > emotional responses> > > If you can come up with some reasonably non-obtrusive patches to the > build to control this with some make.conf(5) knobs, we can have a look > at the practicallity. > -- > Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu > http://people.freebsd.org/~cjc/ | cjc@freebsd.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020330041052.C67123>