Date: Mon, 20 Apr 1998 10:12:57 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: James Wyatt <jwyatt@rwsystr.RWSystems.net> Cc: freebsd-security@FreeBSD.ORG, fpscha@schapachnik.com.ar, Niall Smart <rotel@indigo.ie> Subject: Re: suid/sgid programs Message-ID: <Pine.BSF.3.96.980420100726.16935B-100000@fledge.watson.org> In-Reply-To: <Pine.LNX.3.91.980420084647.19730A-100000@rwsystr.RWSystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 20 Apr 1998, James Wyatt wrote: > I thought we were after suid/sgid programs that had kernel risks (like > suid root or sgid kmem). What does s[ug]id uucp impact outside of the > uucp core files? Your inbound/outbound password files might be useful for > password hacking or getting free service, but what else? > > btw: I really dislike the "We can make this stronger by %s and if you > don't like it or need it undone, you can %s" arguements. They peel-off > useful subsystems and factionalize us. I still use UUCP a lot here in the > states for unmetered full-domain email support. Works nicely and lets me > remote-admin much cheaper. Again, my feeling is that suid programs in general make it harder to audit. If a bug exists in a uucp program, the ability to run arbitrary programs as the UUCP account (and that the UUCP binaries are *writable* by the UUCP account) severely limits the effectiveness of current auditing tools. Key concept: If you're not using a feature that involves screwing with UIDs, then it should be disabled. I would guess that the majority of FreeBSD users do not make use of UUCP. As such, it provides no benefits for them, but does increase risk and make auditing harder. I am not recommend removing or disabling UUCP in the default distribution (at this time). On the other hand, I am recommending that an easy way be provided to disable its suid features. And I am also offering to provide that as part of the Hardening Project. I hope to have an initial suid/sgid program manager hacked up sometime later this week. The goal here is to provide an easy way to manage the risks associated with the various portions of FreeBSD, and to provide an easy way to set the policy. UUCP provides clear and useful functionality -- but not to everyone. The same goes for ping, sendmail, and fingerd, for that matter. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980420100726.16935B-100000>