From owner-freebsd-security Wed Jan 24 04:13:43 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id EAA24912 for security-outgoing; Wed, 24 Jan 1996 04:13:43 -0800 (PST) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id EAA24897 for ; Wed, 24 Jan 1996 04:13:32 -0800 (PST) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id WAA27070; Wed, 24 Jan 1996 22:51:55 +1030 From: Michael Smith Message-Id: <199601241221.WAA27070@genesis.atrad.adelaide.edu.au> Subject: Re: Ownership of files/tcp_wrappers port To: nlawson@statler.csc.calpoly.edu (Nathan Lawson) Date: Wed, 24 Jan 1996 22:51:55 +1030 (CST) Cc: msmith@atrad.adelaide.edu.au, security@freebsd.org In-Reply-To: <199601241019.CAA11895@statler.csc.calpoly.edu> from "Nathan Lawson" at Jan 24, 96 02:19:51 am MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk Nathan Lawson stands accused of saying: > > If nothing else, it's convenient to have "someone" own "system" things. > > It's _preferable_ that this "someone" isn't a user in the common sense of > > the word. > This "someone" is not well-protected enough to own critical things > like binaries. Until you can prove to me that a bin compromise is > as hard as a root compromise, I won't relent. Consider NFS, > hosts.equiv, and login. None of those will stop a bin intrusion. > If you can log in as bin, login will let you. If you can access a > filesystem via NFS, bin access is allowed while root is mapped to > nobody. Hosts.equiv allows _every_ user except root to access the > equivalent account. Bin has no shell. (See below). Few or no binaries are ever setuid bin. If you're paranoid, your NFS mounts are nosuid. I'd say bin was of comparable secureness to root. Root is, however, more likely to be stupid and use their password in cleartext over the 'net or be shoulder-snooped. > Of course, I don't think rlogin and NFS are secure protocols. But > you should od your best to protect what little security you do have. > Saying "oh, the protocols are fundamentally flawed, let's just throw > security out the door" is lazy. Take your pick. Either they're flawed and a leaking hole, or you should trust them. Chose one. Having binaries owned by bin compromised is no more likely than having binaries owned by root compromised. The added protection of having a nonlogin user owning them is obviously worth it, presuming that root is reasonably careful. Either way, bin is a convenient and simple safeguard. It hurts nothing, so why the angst? > > > bin is nice for non-threat functions in that it has no password > > > assigned, thus disabling any logins... of course there is that one > > > fool in a million who will > > > > And no shell either. > > Nope. It uses /bin/sh if the shell is null. I prefer /noshell. Bin has no shell, ie. it has a nonexistent shell. Check /etc/passwd on a stock FreeBSD system and you will find that bin has /nonexistent as a shell. > Nate Lawson \Yeah, I was dreaming through the 'howzlife', yawning, car black, -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] "Who does BSD?" "We do Chucky, we do." [[