From owner-freebsd-security  Fri Jan 22 20:13:23 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA08806
          for freebsd-security-outgoing; Fri, 22 Jan 1999 20:13:23 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA08801
          for <freebsd-security@freebsd.org>; Fri, 22 Jan 1999 20:13:21 -0800 (PST)
          (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.8.8/8.8.8) id XAA02392
	for freebsd-security@freebsd.org; Fri, 22 Jan 1999 23:14:40 -0500 (EST)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com>
Subject: bin Directory Ownership
To: freebsd-security@FreeBSD.ORG
Date: Fri, 22 Jan 1999 23:14:40 -0500 (EST)
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL40 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>From a number of sources, I have been told it is not ideal, from a
security point of view, to have any root owned executables in a
directory owned by another user, even an administrative user. The
logic is that even if administrative users have logins disabled, their
actions, if they do get a shell or some ability to execute commands,
are not as closely watched as root. Since it is gernerally assumed
commands owned by root are 'safe,' the fact that these commands could
be switched to something else by a non-root user is considered a
securiy hole.

I have noticed that /usr/bin has the ownership of user 'bin' and group
'bin.' This is in spite of the fact that I count more than 2 dozen
commands onwed by root that are installed by the standard FreeBSD
installation tools or ports. In addition, /usr/libexec and /usr/sbin
(!!!) are owned by bin but contain root owned executables.

Am I being over protective? Is there a problem with my installation?
Do I need to relax?

Thanks for any responses.
-- 
Crist J. Clark                           cjclark@home.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message