Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Jan 1996 23:40:59 +1100
From:      Bruce Evans <bde@zeta.org.au>
To:        davidg@root.com, luigi@labinfo.iet.unipi.it
Cc:        dworkin@rover.village.org, hackers@FreeBSD.org, imp@village.org
Subject:   Re: Security (was: Re: Two commands: icat and ils)
Message-ID:  <199601221240.XAA29420@godzilla.zeta.org.au>
next in thread | raw e-mail | index | archive | help 
>>Why ? Security must be enforced with proper protections, not by
>>simply trying to hide information which *is* available. One thing
>>I never liked in FreeBSD:
>>
>>    www# ls -l /sbin/init /sbin/shutdown
>>    -r-x------  1 bin   bin       143360 Nov 16 10:49 /sbin/init
>>    -r-sr-x---  1 root  operator  135168 Nov 16 10:49 /sbin/shutdown
>>
>>as if denying *read* access to these publicly available files would
>>prevent anyone from rebuilding them from the sources or getting a
>>copy from the binary distribution or from the CDROM.

I agree.  One thing I like about FreeBSD is that it only has 3 binaries
like this (the other one is /usr/sbin/watch).  On my ISP's
old-slackware-based  Linux system, there are 70 files like this,
including top secret (;-) ones like:

    -r-xr-x---   1 root     root        17412 Mar 12  1995 /sbin/mke2fs

This annoyed me when I wanted to grab it to test ext2fs under FreeBSD.

>   That's not the reason they have read permissions removed. It's common for
>people to have /sbin in their path - to pick up useful utilities which
>probably shouldn't be in /sbin anyway (like ifconfig and ping, for example),
>and executing /sbin/init by accident is not a good thing.

Erm.  It is harmless.

$bde init
bash: /sbin/init: Permission denied
$bde su
#root init
init: already running
#root ^D
$bde shutdown -r now    # I'm in group operator, better not do this accidentally
Shutdown NOW!
...
#root cp /sbin/init /tmp; chmod 777 /tmp/init
#root ^D
$bde ktrace -i /tmp/init
init: Operation not permitted
$bde kdump | less
$bde vi /usr/src/sbin/init/init.c
$bde # init bailed out early because getuid() != 0

Bruce

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221240.XAA29420>