From owner-freebsd-security Sat Jan 23 03:01:59 1999 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA13266 for freebsd-security-outgoing; Sat, 23 Jan 1999 03:01:59 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from fledge.watson.org (FLEDGE.RES.CMU.EDU [128.2.93.229]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA13261 for ; Sat, 23 Jan 1999 03:01:58 -0800 (PST) (envelope-from robert@cyrus.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.8.8/8.8.8) with SMTP id GAA17793; Sat, 23 Jan 1999 06:01:40 -0500 (EST) Date: Sat, 23 Jan 1999 06:01:40 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org Reply-To: Robert Watson To: cjclark@home.com cc: freebsd-security@FreeBSD.ORG Subject: Re: bin Directory Ownership In-Reply-To: <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 22 Jan 1999, Crist J. Clark wrote: > From a number of sources, I have been told it is not ideal, from a > security point of view, to have any root owned executables in a > directory owned by another user, even an administrative user. The > logic is that even if administrative users have logins disabled, their > actions, if they do get a shell or some ability to execute commands, > are not as closely watched as root. Since it is gernerally assumed > commands owned by root are 'safe,' the fact that these commands could > be switched to something else by a non-root user is considered a > securiy hole. > > I have noticed that /usr/bin has the ownership of user 'bin' and group > 'bin.' This is in spite of the fact that I count more than 2 dozen > commands onwed by root that are installed by the standard FreeBSD > installation tools or ports. In addition, /usr/libexec and /usr/sbin > (!!!) are owned by bin but contain root owned executables. > > Am I being over protective? Is there a problem with my installation? > Do I need to relax? > > Thanks for any responses. -- Crist J. Clark cjclark@home.com You are correct--there is no security improvement through the use of the bin user. However, it is also the case that (aside from false assumptions about some improvement) security is probably not damaged by having a bin user. I am in the process of some research analyzing the impact of file and directory ownership affecting the UNIX trust model (especially w.r.t. setuid and setgid binaries). I will post the results when I finish up (probably in a month or so). Access to the bin account is very limited; effectively, to acquire a uid bin process capable of modifying the binaries, you would first have to have a uid root process that you had subverted. Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message