From owner-freebsd-hackers Mon Feb 24 10:24:08 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id KAA05624 for hackers-outgoing; Mon, 24 Feb 1997 10:24:08 -0800 (PST) Received: from mailhub.aros.net (mailhub.aros.net [207.173.16.17]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id KAA05596 for ; Mon, 24 Feb 1997 10:24:03 -0800 (PST) Received: from fluffy.aros.net (fluffy.aros.net [207.173.16.2]) by mailhub.aros.net (8.8.5/Unknown) with ESMTP id LAA08383; Mon, 24 Feb 1997 11:23:53 -0700 (MST) Received: from fluffy.aros.net (localhost [127.0.0.1]) by fluffy.aros.net (8.8.5/8.6.12) with ESMTP id LAA27302; Mon, 24 Feb 1997 11:23:52 -0700 (MST) Message-Id: <199702241823.LAA27302@fluffy.aros.net> To: Alex Belits cc: hackers@freebsd.org Subject: Re: disallow setuid root shells? Date: Mon, 24 Feb 1997 11:23:51 -0700 From: Dave Andersen Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk -------- [CC: list trimmed] > IMHO adding "anti-setuid" code into shell will help, but that help won't > worth the effort of typing "setuid(getuid());" and recompiling the shell > -- it only makes one more step required to get the same result unless the > system is stripped down until becoming completely useless (but stripped > down until becoming completely useless system isn't vulnerable to most of > known security bugs anyway). I disagree. It's a small thing, and very easy to get around, but it would help reduce the number of breakins by people who don't understand what they're doing aside from running this program-thingy that someone gave them. I freely admit that most of these people will be using widely published exploit code, and that almost any vigilant sysadmin won't be vulnerable to them -- but not everybody is anal about keeping their computer up to date and secure. Forgive me for sounding political, but if even one or two computers are prevented from having a root compromise by this, it seems worthwhile - especially since nobody can think of anything it would actually hurt. -Dave