From owner-freebsd-security  Mon Apr 20 07:01:45 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA24831
          for freebsd-security-outgoing; Mon, 20 Apr 1998 07:01:45 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from RWSystems.net (root@rwsystr.RWSystems.net [204.251.23.1])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA24724
          for <freebsd-security@FreeBSD.ORG>; Mon, 20 Apr 1998 14:01:06 GMT
          (envelope-from jwyatt@rwsystr.RWSystems.net)
Received: from rwsystr.RWSystems.net by RWSystems.net with smtp
	(Smail3.1.29.1 #3) id m0yRH30-0001NwC; Mon, 20 Apr 98 08:55 CDT
Date: Mon, 20 Apr 1998 08:55:47 -0500 (CDT)
From: James Wyatt <jwyatt@rwsystr.RWSystems.net>
To: freebsd-security@FreeBSD.ORG
cc: fpscha@schapachnik.com.ar, robert+freebsd@cyrus.watson.org,
        Niall Smart <rotel@indigo.ie>
Subject: Re: suid/sgid programs
In-Reply-To: <199804191452.PAA00588@indigo.ie>
Message-ID: <Pine.LNX.3.91.980420084647.19730A-100000@rwsystr.RWSystems.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by hub.freebsd.org id OAA24749
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Sun, 19 Apr 1998, Niall Smart wrote:
> On Apr 19, 12:26am, "Fernando P. Schapachnik" wrote:
> } Subject: Re: suid/sgid programs
> > En un mensaje anterior Robert Watson escribi˘:
> > [...]
> > > We note also that a fairly large chunk of suid/sgid programs are UUCP
> > > programs -- something that a majority of FreeBSD users (I would guess?) do
> > > not use.  In terms of reducing risk, disabling suid/sgid on these programs
> > Don't be so sure. FreeBSD boxes are an excellent choice for UUCP servers. 
> > Actually I have a few running (and planning to install more).
> I think the point he was making was that most users don't use UUCP, and
> therefore we shouldn't be shipping UUCP related utilities with set[ug]id
> bits.  Presumably if you can configure UUCP you can use chmod.

I thought we were after suid/sgid programs that had kernel risks (like 
suid root or sgid kmem). What does s[ug]id uucp impact outside of the 
uucp core files? Your inbound/outbound password files might be useful for 
password hacking or getting free service, but what else?

btw: I really dislike the "We can make this stronger by %s and if you 
don't like it or need it undone, you can %s" arguements. They peel-off 
useful subsystems and factionalize us. I still use UUCP a lot here in the 
states for unmetered full-domain email support. Works nicely and lets me 
remote-admin much cheaper.

Thanks - James

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message