From owner-freebsd-security Mon Apr 20 09:04:32 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA23053 for freebsd-security-outgoing; Mon, 20 Apr 1998 09:04:32 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from gateman.zeus.leitch.com (gateman.zeus.leitch.com [204.187.61.193]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA22942 for ; Mon, 20 Apr 1998 16:04:19 GMT (envelope-from woods@tap.zeus.leitch.com) Received: from zeus.leitch.com (tap.zeus.leitch.com [204.187.61.10]) by gateman.zeus.leitch.com (8.8.5/8.7.3/1.0) with ESMTP id MAA17792 for ; Mon, 20 Apr 1998 12:04:25 -0400 (EDT) Received: from brain.zeus.leitch.com (brain.zeus.leitch.com [204.187.61.32]) by zeus.leitch.com (8.7.5/8.7.3/1.0) with ESMTP id MAA22570 for ; Mon, 20 Apr 1998 12:04:24 -0400 (EDT) Received: (from woods@localhost) by brain.zeus.leitch.com (8.8.8/8.8.8) id MAA13296; Mon, 20 Apr 1998 12:04:24 -0400 (EDT) (envelope-from woods@tap.zeus.leitch.com) Date: Mon, 20 Apr 1998 12:04:24 -0400 (EDT) Message-Id: <199804201604.MAA13296@brain.zeus.leitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit From: woods@zeus.leitch.com (Greg A. Woods) To: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs In-Reply-To: Niall Smart's message of "Sun, April 19, 1998 20:39:48 +0000" regarding "Re: suid/sgid programs" id <199804191939.UAA01293@indigo.ie> References: <199804191939.UAA01293@indigo.ie> X-Mailer: VM 6.45 under Emacs 20.2.1 Reply-To: freebsd-security@FreeBSD.ORG Organization: Planix, Inc.; Toronto, Ontario; Canada Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk [ On Sun, April 19, 1998 at 20:39:48 (+0000), Niall Smart wrote: ] > Subject: Re: suid/sgid programs > > So you want an extra sgid kmem utility just because you like your curious > users to be able to see what your ccd configuration is? How useful is > that? Not very. Do it locally if you really must. That's bad advice for a general audience. Only a systems programmer who is extremely familiar with the rules for writing SUID code, and who can analyze the code in question and check for possible security problems, should ever even think of adding SUID to an existing binary. Alternately a SUID-code experienced systems programmer might instead derive a program from the utility in question that only generates reports. This is *exactly* the problem SGI/IRIX has/had -- too many programs were made SUID so that the average user running the GUI admin tools could poke around with the system. Unfortunately none of these programs seem to have gone through the normal rigorous design and programming audits one would expect for SUID code. On the other hand, for ccdconfig itself, if we assume the code was designed and written with the view that it would normally be SUID, then there's no reason why we should distrust it any more than anything else. Personally I'd be much more inclined to re-design the CCD driver interface such that it enforced superuser requirements on any operations that would change its configuration, and permitted normal users to query its status. Then there'd be no need for ccdconfig to be SUID in the first place. -- Greg A. Woods +1 416 443-1734 VE3TCP Planix, Inc. ; Secrets of the Weird To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message