Date: Fri, 22 Jun 2012 14:12:12 -0400 From: Garance A Drosehn <gad@FreeBSD.org> To: "Julian H. Stacey" <jhs@berklix.com> Cc: freebsd-security@FreeBSD.org Subject: Re: / owned by bin causes sshd to complain bad ownership Message-ID: <4FE4B57C.1040701@FreeBSD.org> In-Reply-To: <201206221715.q5MHFPJW052099@fire.js.berklix.net> References: <201206221715.q5MHFPJW052099@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/22/12 1:15 PM, Julian H. Stacey wrote: > Jason Hellenthal wrote: > >> It is not really clear why you would want to change the permissions of >> root:wheel of / on any of these. >> > To Increase security. > More visual prompting of when juniot admins blunder& cerate > junk as root > A SUID with bin has less power than a SUID with uid=root > Currently every binary in the system is one bit away from the jackpot, > SUID root, why not convert most binaries to uid=bin, thenmost binaries > are 2 bits away from jackpot, more safety in event of a blunder too. > SUID binaries are one issue. The directory '/' is not a SUID binary. The issue for sshd is ownership of the directory '/'. >> root is the owner of the system ... it >> > Only because it currently is,& you're used to it ;-) > Remember back a few decades, Think more deeply, Why do you think it > _needs_ to be ? Unix didnt used to Want that, it was usually a > blunder when it occured. > > look at /etc/passwd > root: entry has the shell, > bin: entry is more limited, just has /sbin/nologin > > The question is WHY did FreeBSD switch to promote everything to root ? > That it did so Way back proves nothing, > Cos further back Unix was bin. > At one time I read that having directories/files owned by root was a security benefit when considering the -maproot=<x> for NFS exports. All unix systems recognize UID=0 means root, and there is no other UID which all unix systems agree on. Disclaimer: I rarely use NFS, so I don't really pay attention to the details. I may have the wrong idea for what the advantage is, but it was some kind of connection with UID=0 and NFS exports or imports. I don't think you have shown any benefit by having directories owned by bin instead of root. I think the check in sshd is fine as it is. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FE4B57C.1040701>