Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 28 Jul 1997 16:42:28 -0500
From:      Karl Denninger  <karl@Mcs.Net>
To:        Robert Watson <robert+freebsd@cyrus.watson.org>
Cc:        Adam Shostack <adam@homeport.org>, Vincent Poy <vince@mail.MCESTATE.COM>, security@FreeBSD.ORG
Subject:   Re: security hole in FreeBSD
Message-ID:  <19970728164228.19622@Jupiter.Mcs.Net>
In-Reply-To: <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>; from Robert Watson on Mon, Jul 28, 1997 at 04:55:19PM -0400
References:  <199707282004.QAA07078@homeport.org> <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 28, 1997 at 04:55:19PM -0400, Robert Watson wrote:
> On Mon, 28 Jul 1997, Adam Shostack wrote:
> 
> > Vincent Poy wrote:
> > 
> > 	su really should be setuid.  Everything else is debatable.  My
> > advice is to turn off all setuid bits except those you know you need
> > (possibly w, who, ps, ping, at, passwd)
> > 
> > find / -xdev -perm -4000 -ok chmod u-s {} \;
> > find /usr -xdev -perm -4000 -ok chmod u-s {} \;
> > find / -xdev -perm -2000 -ok chmod g-s {} \;
> > find /usr -xdev -perm -2000 -ok chmod g-s {} \;
> > # The semicolons are part of the line
> 
> Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc)
> require root access to delivery to local mailboxes; crontab related stuff,
> terminal locking, some kerberos commands, local XWindows servers, and su
> all rely on suid.
> 
> What type of secured environment are you hoping to create?  If root access
> is only to be used from the console, and shared functions like
> xwindows/mailstuff/user crontab aren't needed, you can probably just
> disable all the suid-root programs, or suid-anything programs.  Look also
> at the sgid programs that scan kmem.  Ideally, you'd also put the system
> in a higher secure level, and mount all partitions non-suid, as long as
> login kept working :).
> 
> Does login require suid, or does gettytab run it as root anyway?
> 
>   Robert N Watson 

If you take the SUID off login it works fine, PROVIDED you don't try to use
it to "re-login" (a rather common thing for Berzerkelyoids to do).

--
-- 
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
			     | 99 Analog numbers, 77 ISDN, http://www.mcs.net/
Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines!
Fax:   [+1 312 803-4929]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970728164228.19622>