From owner-freebsd-stable  Wed Apr 15 10:14:11 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA13954
          for freebsd-stable-outgoing; Wed, 15 Apr 1998 10:14:11 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA13282;
          Wed, 15 Apr 1998 17:11:14 GMT
          (envelope-from karl@Jupiter.Mcs.Net)
Received: from Jupiter.Mcs.Net (karl@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id MAA26282; Wed, 15 Apr 1998 12:10:50 -0500 (CDT)
Received: (from karl@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) id MAA06498; Wed, 15 Apr 1998 12:10:49 -0500 (CDT)
Message-ID: <19980415121049.17497@Mcs.Net>
Date: Wed, 15 Apr 1998 12:10:49 -0500
From: Karl Denninger  <karl@Mcs.Net>
To: dima@best.net
Cc: Bill Trost <trost@cloud.rain.com>, stable@FreeBSD.ORG,
        freebsd-security@FreeBSD.ORG
Subject: Re: kernel permissions
References: <19282.892651401@cloud.rain.com> <199804151652.JAA00719@burka.rdy.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.84
In-Reply-To: <199804151652.JAA00719@burka.rdy.com>; from Dima Ruban on Wed, Apr 15, 1998 at 09:52:58AM -0700
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk

On Wed, Apr 15, 1998 at 09:52:58AM -0700, Dima Ruban wrote:
> Bill Trost writes:
> > Dima Ruban writes:
> >     Is there a particular reason of kernel being installed with 555 root/wheel
> >     permissions instead of 550 root/kmem ?
> >     
> >     If nobody has nothing against it - I'll commit the change.
> > 
> > Is "/kernel" typically the first command in the pipe, or should it
> > appear in the middle?  (-:
> > 
> > Maybe I am missing something, but I see no reason for /kernel to have
> > the execute bits set.  I doubt that the boot loader cares, and no one
> > wants to actually execute the kernel when it's already running.
> 
> Sure, 440 permissions are fine with me.
> 
> > As for the world read permissions:  Removing the read permissions seems
> > like a gratuitious pseudo-security change.  Is there any reason to
> > prevent users from reading the kernel?  Presumably, /usr/src/sys is
> 
> In some case I don't want my users to read a kernel name list.
> 
> > readable anyhow, so a person could build their own kernel with the same
> > configuration, so they may as well just copy the running one.
> 
> You do not always have /usr/src/sys on your machine. Especially
> on a production enviroment.
> 
> > Or, in other words -- if you are going to make a change, 0444 seems like
> > the way to go.
> 
> I'd say 0440

Agreed.

--
-- 
Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin
http://www.mcs.net/          | T1's from $600 monthly / All Lines K56Flex/DOV
			     | NEW! Corporate ISDN Prices dropped by up to 50%!
Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS
Fax:   [+1 312 803-4929]     | *SPAMBLOCK* Technology now included at no cost

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message