Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 23 Jan 1999 13:26:13 +0100
From:      The Unicorn <unicorn@unicorn.xs4all.nl>
To:        Robert Watson <robert+freebsd@cyrus.watson.org>, cjclark@home.com
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: bin Directory Ownership
Message-ID:  <19990123132613.A21293@unicorn.quux.org>
In-Reply-To: <Pine.BSF.3.96.990123055843.17775A-100000@fledge.watson.org>; from Robert Watson on Sat, Jan 23, 1999 at 06:01:40AM -0500
References:  <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> <Pine.BSF.3.96.990123055843.17775A-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Jan 23, 1999 at 06:01:40AM -0500, Robert Watson wrote:
> 
> You are correct--there is no security improvement through the use of the
> bin user.  However, it is also the case that (aside from false assumptions
> about some improvement) security is probably not damaged by having a bin
> user.  I am in the process of some research analyzing the impact of file
> and directory ownership affecting the UNIX trust model (especially w.r.t.
> setuid and setgid binaries).  I will post the results when I finish up
> (probably in a month or so).  Access to the bin account is very limited;
> effectively, to acquire a uid bin process capable of modifying the
> binaries, you would first have to have a uid root process that you had
> subverted.

This is  not always the  case. Have  a look at  the old but  still valid
paper from  Wietse and Dan: "admin-guide-to-cracking-101"  also known as
"Improving the  Security of Your  Site by Breaking Into  it". Especially
the part on the use of rsh and the wildcard in the /etc/hosts.equiv file
(yeah, I know that allowing the r-commands is a BIG NO-NO ;-).

>   Robert N Watson

---end quoted text---

Ciao,
Unicorn.
-- 
======= _ __,;;;/ TimeWaster ================================================
     ,;( )_, )~\| A Truly Wise Man Never Plays   PGP: 64 07 5D 4C 3F 81 22 73
    ;; //  `--;     Leapfrog With A Unicorn...        52 9D 87 08 51 AA 35 F0
==='= ;\ = | ==== Youth is not a time in Life, It is a State of Mind! =======


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990123132613.A21293>