Date: Tue, 15 Oct 1996 12:39:50 -0500 (CDT) From: Joe Greco <jgreco@brasil.moneng.mei.com> To: bde@zeta.org.au (Bruce Evans) Cc: bde@zeta.org.au, luigi@labinfo.iet.unipi.it, freebsd-hackers@FreeBSD.ORG, j@uriah.heep.sax.de Subject: Re: /sbin/init permission Message-ID: <199610151739.MAA26177@brasil.moneng.mei.com> In-Reply-To: <199610151536.BAA14817@godzilla.zeta.org.au> from "Bruce Evans" at Oct 16, 96 01:36:34 am
next in thread | previous in thread | raw e-mail | index | archive | help
> >> Complete set of standard executables with annoying permissions in > >> -current: > >> > >> -r-x------ 1 bin bin 20480 Oct 2 04:24 /sbin/init > >> -r-sr-x--- 1 root operator 12288 Oct 2 04:26 /sbin/shutdown > >> ---s--x--x 2 root bin 286720 Oct 2 04:19 /usr/bin/sperl4.036 > >> ---s--x--x 2 root bin 286720 Oct 2 04:19 /usr/bin/suidperl > >> -r-sr-x--- 1 uucp uucp 90112 Oct 2 04:09 /usr/libexec/uucp/uuxqt > >> -r-x------ 1 bin bin 12288 Oct 2 04:42 /usr/sbin/watch > >... > >for suid applications there is a reason for being restrictive. For > > I think security by obscurity is the only reason. This doesn't apply > to free software. Respectfully, I do not think that this is true. I am in favor of "raising the bar" that potential invaders have to jump over whenever I can. This includes little things and big things. Little things can include applying patches for problems suggested in CERT advisories and then editing the modification times on the files to be the same as they were before. Big things can include setting up roadblocks by editing key utilities to function a little differently. I know someone who modified "su" to always fail when su'ing to a wheel group account (including root) .. this was sorta clever IMHO. (and the original copy is buried someplace dark and deep). BSD is nice in that it always rounds to 4K so size changes are less obvious.. but I would rather see utilities that people have no business needing to read being unreadable. I understand the NFS argument but generally discount it as baloney.. if it is truly a problem, set up NFS differently. ... JG
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151739.MAA26177>