From owner-freebsd-hackers  Mon Jan 22 03:11:08 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id DAA00273
          for hackers-outgoing; Mon, 22 Jan 1996 03:11:08 -0800 (PST)
Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id DAA00265
          for <hackers@FreeBSD.org>; Mon, 22 Jan 1996 03:11:01 -0800 (PST)
Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id MAA04840; Mon, 22 Jan 1996 12:02:50 +0100
From: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
Message-Id: <199601221102.MAA04840@labinfo.iet.unipi.it>
Subject: Re: Security (was: Re: Two commands: icat and ils)
To: davidg@Root.COM
Date: Mon, 22 Jan 1996 12:02:50 +0100 (MET)
Cc: imp@village.org, hackers@FreeBSD.org, dworkin@rover.village.org
In-Reply-To: <199601221032.CAA14292@Root.COM> from "David Greenman" at Jan 22, 96 02:32:23 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-hackers@FreeBSD.org
Precedence: bulk

> >Why ? Security must be enforced with proper protections, not by
> >simply trying to hide information which *is* available. One thing
> >I never liked in FreeBSD:
> >
> >    www# ls -l /sbin/init /sbin/shutdown
> >    -r-x------  1 bin   bin       143360 Nov 16 10:49 /sbin/init
> >    -r-sr-x---  1 root  operator  135168 Nov 16 10:49 /sbin/shutdown
> >
> >as if denying *read* access to these publicly available files would
> >prevent anyone from rebuilding them from the sources or getting a
> >copy from the binary distribution or from the CDROM.
> 
>    That's not the reason they have read permissions removed. It's common for
> people to have /sbin in their path - to pick up useful utilities which
> probably shouldn't be in /sbin anyway (like ifconfig and ping, for example),
> and executing /sbin/init by accident is not a good thing.

Two objections:

1) just make /sbin/init mode 544 then. Actually, shouldn't it work
   even if it has mode 444 ?
2) would it be that hard to fix init so as to quit if its not
   appropriate for it to run (e.g. check process id, another instance
   running, etc.) ? I am asking because I don't know what are the
   implications, but if the consequences are so bad...

You may wonder why I would like to have this changed: it is useful
for those settings where you have diskless system with NFS-mounted
root partition.

	Luigi
====================================================================
Luigi Rizzo                     Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it       Universita' di Pisa
tel: +39-50-568533              via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522              http://www.iet.unipi.it/~luigi/
====================================================================