From owner-freebsd-security  Fri Oct 16 14:17:27 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA17953
          for freebsd-security-outgoing; Fri, 16 Oct 1998 14:17:27 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell.futuresouth.com (shell.futuresouth.com [198.78.58.28])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA17811
          for <security@FreeBSD.ORG>; Fri, 16 Oct 1998 14:16:37 -0700 (PDT)
          (envelope-from fullermd@futuresouth.com)
Received: (from fullermd@localhost)
	by shell.futuresouth.com (8.8.8/8.8.8) id QAA17715;
	Fri, 16 Oct 1998 16:15:58 -0500 (CDT)
Message-ID: <19981016161558.25098@futuresouth.com>
Date: Fri, 16 Oct 1998 16:15:58 -0500
From: "Matthew D. Fuller" <fullermd@futuresouth.com>
To: Marius Bendiksen <Marius.Bendiksen@scancall.no>
Cc: andrew@squiz.co.nz, security@FreeBSD.ORG
Subject: Re: X allows ordinary user to read first line of any file
References: <Pine.BSF.4.01.9810161756550.706-100000@aniwa.sky> <3.0.5.32.19981016161322.00920830@mail.scancall.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88
In-Reply-To: <3.0.5.32.19981016161322.00920830@mail.scancall.no>; from Marius Bendiksen on Fri, Oct 16, 1998 at 04:13:22PM +0200
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Oct 16, 1998 at 04:13:22PM +0200, Marius Bendiksen woke me up to tell me:
> >I'm sure there's other files where this can be a problem, but in the case
> >of the password file it seems wise to have a dummy entry as the first line
> >of the master.passwd file.
> 
> You could of course just delete the file, if you're concerned that they're
> going to crack the password. If you enforce a sound password policy, they
> won't be able to get anything from that.

You could of course just stript the setuid bit from the server, and use
xdm instead of xinit.  On a single user machine (single user on console,
that is), I'd just use startx, but then again, most workstations are
limited to console access.  On a multiple user machine (lab, etc), xdm
seems to be a better choice anyway.


*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
|       FreeBSD; the way computers were meant to be       |
* "The only reason I'm burning my candle at both ends, is *
| that I haven't figured out how to light the middle yet."|
*    fullermd@futuresouth.com      :-}  MAtthew Fuller    *
|      http://keystone.westminster.edu/~fullermd          |
*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message