Date: Wed, 24 Jan 1996 22:51:55 +1030 (CST) From: Michael Smith <msmith@atrad.adelaide.edu.au> To: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Cc: msmith@atrad.adelaide.edu.au, security@freebsd.org Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <199601241221.WAA27070@genesis.atrad.adelaide.edu.au> In-Reply-To: <199601241019.CAA11895@statler.csc.calpoly.edu> from "Nathan Lawson" at Jan 24, 96 02:19:51 am
next in thread | previous in thread | raw e-mail | index | archive | help
Nathan Lawson stands accused of saying: > > If nothing else, it's convenient to have "someone" own "system" things. > > It's _preferable_ that this "someone" isn't a user in the common sense of > > the word. > This "someone" is not well-protected enough to own critical things > like binaries. Until you can prove to me that a bin compromise is > as hard as a root compromise, I won't relent. Consider NFS, > hosts.equiv, and login. None of those will stop a bin intrusion. > If you can log in as bin, login will let you. If you can access a > filesystem via NFS, bin access is allowed while root is mapped to > nobody. Hosts.equiv allows _every_ user except root to access the > equivalent account. Bin has no shell. (See below). Few or no binaries are ever setuid bin. If you're paranoid, your NFS mounts are nosuid. I'd say bin was of comparable secureness to root. Root is, however, more likely to be stupid and use their password in cleartext over the 'net or be shoulder-snooped. > Of course, I don't think rlogin and NFS are secure protocols. But > you should od your best to protect what little security you do have. > Saying "oh, the protocols are fundamentally flawed, let's just throw > security out the door" is lazy. Take your pick. Either they're flawed and a leaking hole, or you should trust them. Chose one. Having binaries owned by bin compromised is no more likely than having binaries owned by root compromised. The added protection of having a nonlogin user owning them is obviously worth it, presuming that root is reasonably careful. Either way, bin is a convenient and simple safeguard. It hurts nothing, so why the angst? > > > bin is nice for non-threat functions in that it has no password > > > assigned, thus disabling any logins... of course there is that one > > > fool in a million who will > > > > And no shell either. > > Nope. It uses /bin/sh if the shell is null. I prefer /noshell. Bin has no shell, ie. it has a nonexistent shell. Check /etc/passwd on a stock FreeBSD system and you will find that bin has /nonexistent as a shell. > Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "Who does BSD?" "We do Chucky, we do." [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601241221.WAA27070>