From owner-freebsd-security Sun Nov 15 14:09:53 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA08415 for freebsd-security-outgoing; Sun, 15 Nov 1998 14:09:53 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA08398; Sun, 15 Nov 1998 14:09:51 -0800 (PST) (envelope-from imp@village.org) Received: from harmony [10.0.0.6] by rover.village.org with esmtp (Exim 1.71 #1) id 0zfAMJ-00017u-00; Sun, 15 Nov 1998 15:09:27 -0700 Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id PAA01604; Sun, 15 Nov 1998 15:10:27 -0700 (MST) Message-Id: <199811152210.PAA01604@harmony.village.org> To: Andre Albsmeier Subject: Re: Would this make FreeBSD more secure? Cc: Matthew Dillon , hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-reply-to: Your message of "Sun, 15 Nov 1998 19:22:24 +0100." <19981115192224.A29686@internal> References: <19981115192224.A29686@internal> <19981115161548.A23869@internal> <199811151758.JAA15108@apollo.backplane.com> Date: Sun, 15 Nov 1998 15:10:26 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <19981115192224.A29686@internal> Andre Albsmeier writes: : > * xterm (suid root for utmp access) : : Yes, this is another candidate. Is the setuid root permission really only : used to access /var/run/utmp? No. xterm uses it to chown the pty to the user. It would be hard for the device to chown itself when opened, since devices operate below the file system.... xterm tosses its setuid-ness quickly. There is a window in xterm for attack, should it do its data copies or file creation in a sloppy manner. I don't think that low port binding restrictions would be worth it. What does it really buy you? Little, imho. If an intruder breaks the daemon, you can run arbitrary code as that user, and then be a "trusted" user on the network, which would likely make it easy to gain root from there. I think that it will complicate things too much for the small security gains that you'll get from it. Just my opinion, mind you. Likewise for other pseudo capabilities. A full blown one might help, but I remain skeptical. Back to the original thread, I'm not sure how making more programs setgid would help system security. Small ones that are easy to audit have proven, in the past, that too many programmers don't know how to use C's APIs in the face of a malicious attacker[*]. Larger programs seem to me to be asking for trouble. Problems may also arise in the long term as the pw acquires new meanings that early adapters weren't aware of. Look at how /etc/shells has grown from just being those users that can login to ftp, to being much, much more... Warner [*] Don't flame 'c' unless you have a complete system in place to take its place that performs as well. We've had that flame war here too recently for everyone to have lost their mind :-). Even the internet doesn't loose its mind that quickly :-). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message