From owner-freebsd-security  Mon Jul 28 15:49:55 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id PAA09466
          for security-outgoing; Mon, 28 Jul 1997 15:49:55 -0700 (PDT)
Received: from netrail.net (netrail.net [205.215.10.3])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id PAA09451
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 15:49:51 -0700 (PDT)
Received: from localhost (jonz@localhost)
	by netrail.net (8.8.6/8.8.6) with SMTP id SAA27656;
	Mon, 28 Jul 1997 18:49:02 GMT
Date: Mon, 28 Jul 1997 18:49:02 +0000 (GMT)
From: "Jonathan A. Zdziarski" <jonz@netrail.net>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
cc: Adam Shostack <adam@homeport.org>, Vincent Poy <vince@mail.MCESTATE.COM>,
        security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>
Message-ID: <Pine.BSF.3.95q.970728184807.26434D-100000@netrail.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

I was exploring a little while ago programming a ch-rooted telnetd to
chroot to /usr if the person was over a specific uid.  I got it running
nicely, but never got to put it into production to fully test it...had to
do a lot of copying (passwd files, etc, just like ftp).


-------------------------------------------------------------------------
Jonathan A. Zdziarski                                NetRail Incorporated
Server Engineering Manager                    230 Peachtree St. Suite 500
jonz@netrail.net                                        Atlanta, GA 30303
http://www.netrail.net                                    (888) - NETRAIL
------------------------------------------------------------------------- 

On Mon, 28 Jul 1997, Robert Watson wrote:

:On Mon, 28 Jul 1997, Adam Shostack wrote:
:
:> Vincent Poy wrote:
:> 
:> 	su really should be setuid.  Everything else is debatable.  My
:> advice is to turn off all setuid bits except those you know you need
:> (possibly w, who, ps, ping, at, passwd)
:> 
:> find / -xdev -perm -4000 -ok chmod u-s {} \;
:> find /usr -xdev -perm -4000 -ok chmod u-s {} \;
:> find / -xdev -perm -2000 -ok chmod g-s {} \;
:> find /usr -xdev -perm -2000 -ok chmod g-s {} \;
:> # The semicolons are part of the line
:
:Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc)
:require root access to delivery to local mailboxes; crontab related stuff,
:terminal locking, some kerberos commands, local XWindows servers, and su
:all rely on suid.
:
:What type of secured environment are you hoping to create?  If root access
:is only to be used from the console, and shared functions like
:xwindows/mailstuff/user crontab aren't needed, you can probably just
:disable all the suid-root programs, or suid-anything programs.  Look also
:at the sgid programs that scan kmem.  Ideally, you'd also put the system
:in a higher secure level, and mount all partitions non-suid, as long as
:login kept working :).
:
:Does login require suid, or does gettytab run it as root anyway?
:
:  Robert N Watson 
:
:Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
:Network Security Research, Trusted Information Systems http://www.tis.com/
:Network Administrator, SafePort Network Services  http://www.safeport.com/
:robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/
: