From owner-freebsd-questions  Thu Feb  3 16:29:34 2000
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.monochrome.org (monochrome.org [206.64.112.124])
	by builder.freebsd.org (Postfix) with ESMTP id 1B063550A
	for <freebsd-questions@FreeBSD.ORG>; Thu,  3 Feb 2000 15:29:23 -0800 (PST)
Received: from [192.168.0.3] (peche [192.168.0.3])
	by mail.monochrome.org (8.9.3/8.9.3) with ESMTP id SAA98799;
	Thu, 3 Feb 2000 18:29:40 -0500 (EST)
	(envelope-from chris@monochrome.org)
X-Sender: chris@mail.monochrome.org
Message-Id: <v03007802b4bfbe372f85@[192.168.0.3]>
In-Reply-To: <20000203092944.L25520@fw.wintelcom.net>
References: 
 <Pine.BSF.4.21.0002031540210.14099-100000@dogma.freebsd-uk.eu.org>; from
 jcm@dogma.freebsd-uk.eu.org on Thu, Feb 03, 2000 at 03:56:32PM +0000
 <Pine.BSF.4.21.0002031540210.14099-100000@dogma.freebsd-uk.eu.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Thu, 3 Feb 2000 18:29:35 -0500
To: Alfred Perlstein <bright@wintelcom.net>
From: Chris Hill <chris@monochrome.org>
Subject: Re: security for non-root sysadmins
Cc: FreeBSD Questions list <freebsd-questions@FreeBSD.ORG>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Alfred Perlstein <bright@wintelcom.net> wrote,

>* Jonathon McKitrick <jcm@dogma.freebsd-uk.eu.org> [000203 08:23] wrote:
>>
>> Okay, one thing i have learned here is to use a user account for as
>> much admin as possible.  I use su to do the rest.  I also read
>> somewhere that if i change the permissions on /usr/ports/distfiles and
>> one other directory (work?) i can make ports without being root.  What
>> directory is that?  Are there any other changes like these i can make
>> that will mean spending less time as root for admin tasks, like
>> building work or kernel?  Is there a security risk in changing these
>> directory permissions to less strict settings?
>
>Yes, if you are too lax on your permissions all one needs to do is
>modify a file within your source/ports tree to have a trojan'd program
>installed when you do "make install/installworld"

I seem to recall reading on this list that some (all?) ports have some sort
of ownership issue, which is automatically correct if root does the
install. Personally, I've had a couple of port installs fail when I did
them as a user su'd to root, but then the same install succeeds when I
actually log in as root. This is why I do my port installations as root.
Plus, I don't have to monkey with permissions on /usr/ports/distfiles or
anything else. To maintain a degree of safety, I log root out as soon as
the install is done.


--
Chris Hill                   chris@monochrome.org
[place witty saying here]




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message