Date: Mon, 28 Jul 1997 15:26:12 -0700 (PDT) From: Vincent Poy <vince@mail.MCESTATE.COM> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Adam Shostack <adam@homeport.org>, security@FreeBSD.ORG, JbHunt <johnnyu@accessus.net>, "[Mario1-]" <mario1@PrimeNet.Com> Subject: Re: security hole in FreeBSD Message-ID: <Pine.BSF.3.95.970728152434.3844L-100000@mail.MCESTATE.COM> In-Reply-To: <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 28 Jul 1997, Robert Watson wrote: =)Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) =)require root access to delivery to local mailboxes; crontab related stuff, =)terminal locking, some kerberos commands, local XWindows servers, and su =)all rely on suid. That's what I thought. I think even fingerd needs suid. =)What type of secured environment are you hoping to create? If root access =)is only to be used from the console, and shared functions like =)xwindows/mailstuff/user crontab aren't needed, you can probably just =)disable all the suid-root programs, or suid-anything programs. Look also =)at the sgid programs that scan kmem. Ideally, you'd also put the system =)in a higher secure level, and mount all partitions non-suid, as long as =)login kept working :). Hmmm, but what about root access by using su? =)Does login require suid, or does gettytab run it as root anyway? I think it does. Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970728152434.3844L-100000>