From owner-freebsd-security  Sun Nov 15 07:16:33 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA02569
          for freebsd-security-outgoing; Sun, 15 Nov 1998 07:16:33 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from david.siemens.de (david.siemens.de [192.35.17.14])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA02550
          for <freebsd-security@freebsd.org>; Sun, 15 Nov 1998 07:16:18 -0800 (PST)
          (envelope-from andre.albsmeier@mchp.siemens.de)
X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de)
Received: from mail.siemens.de (salomon.siemens.de [139.23.33.13])
	by david.siemens.de (8.9.1a/8.9.1) with ESMTP id QAA12993
	for <freebsd-security@freebsd.org>; Sun, 15 Nov 1998 16:15:53 +0100 (MET)
Received: from curry.mchp.siemens.de (daemon@curry.mchp.siemens.de [146.180.31.23])
	by mail.siemens.de (8.9.1a/8.9.1) with ESMTP id QAA04058
	for <freebsd-security@freebsd.org>; Sun, 15 Nov 1998 16:15:55 +0100 (MET)
Received: (from daemon@localhost)
	by curry.mchp.siemens.de (8.8.8/8.8.8) id QAA11186
	for <freebsd-security@freebsd.org>; Sun, 15 Nov 1998 16:15:54 +0100 (CET)
Message-ID: <19981115161548.A23869@internal>
Date: Sun, 15 Nov 1998 16:15:48 +0100
From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de>
To: hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject: Would this make FreeBSD more secure?
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi,

while installing xlockmore, I noticed that its mode is 4111 for root.
I think this is because it has to access the encrypted user
passwords.

Wouldn't it be generally a good idea to make the /etc/spwd.db and
the /etc/master.passwd file 640 and give them to a newly created
group? Then programs like xlockmore could be made setgid newgroup
instead of setuid root which always makes me a little nervous.

For example:

root@voyager:~>ll /etc/spwd.db /etc/master.passwd 
-rw-r-----  1 root  pw  -   828 Nov 15 12:43 /etc/master.passwd
-rw-r-----  1 root  pw  - 40960 Nov 15 12:43 /etc/spwd.db

root@voyager:~>ll /usr/X11R6/bin/xlock 
---x--s--x  1 root  pw  - 126976 Oct  1 08:17 /usr/X11R6/bin/xlock*


What do you think? Will it make my systems more insecure with the
above stuff or not? If not, wouldn't it make sense to incorporate
the changes into FreeBSD? IMHO they break nothing since all programs
can continue to access /etc/spwd.db and /etc/master.passwd in the
old way but the new method would be possible as well.

Thanks a lot,

	-Andre

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message