From owner-cvs-all  Fri Aug 11 14:20:24 2000
Delivered-To: cvs-all@freebsd.org
Received: from sivka.rdy.com (sivka.rdy.com [207.33.166.86])
	by hub.freebsd.org (Postfix) with ESMTP
	id 0A4E237BA0E; Fri, 11 Aug 2000 14:20:09 -0700 (PDT)
	(envelope-from dima@sivka.rdy.com)
Received: (from dima@localhost)
	by sivka.rdy.com (8.9.3/8.9.3) id OAA19352;
	Fri, 11 Aug 2000 14:17:40 -0700 (PDT)
	(envelope-from dima)
Message-Id: <200008112117.OAA19352@sivka.rdy.com>
Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile
In-Reply-To: <20000811230910.A58926@mithrandr.moria.org> "from Neil Blakey-Milner
 at Aug 11, 2000 11:09:10 pm"
To: Neil Blakey-Milner <nbm@mithrandr.moria.org>
Date: Fri, 11 Aug 2000 14:17:40 -0700 (PDT)
Cc: Dima Ruban <dima@rdy.com>, Peter Wemm <peter@netplex.com.au>,
	Christopher Masto <chris@netmonger.net>,
	"Chris D. Faulhaber" <jedgar@fxp.org>, Warner Losh <imp@FreeBSD.org>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Organization: HackerDome
Reply-To: dima@rdy.com
From: dima@rdy.com (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL77 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Neil Blakey-Milner writes:
> On Fri 2000-08-11 (14:02), Dima Ruban wrote:
> > > > How do you see that resulting in _more_ security holes?
> > > > If /usr/bin/suidperl doesn't exist and some program referes to it, it will
> > > > give you "command not found" (or similar) message.
> > > 
> > > Because people start writing setuid "#! /bin/suidsh -p" scripts instead.
> > > And that is outright suicidal as it is guaranteed exploitable.  It is also
> > > the very reason that suidperl exists.
> > 
> > Following that logic people will nuke /usr/bin/su and replace it with suid to
> > root shell. People don't do it. They aren't _that_ stupid.
> 
> If you didn't provide su, they would.  That's the point.

No, I've meant that nuking su, copying sh and making it suid to root would be
much easier than to do the right thing and remember root's password.
We aren't removing suidperl completely. It's just not in the default
installation. All you need to do is to reenable it.

> 
> Neil
> -- 
> Neil Blakey-Milner
> Sunesi Clinical Systems
> nbm@mithrandr.moria.org
> 

-- dima


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message