From owner-freebsd-security  Sun Jul  5 10:18:49 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA06840
          for freebsd-security-outgoing; Sun, 5 Jul 1998 10:18:49 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA05043
          for <freebsd-security@FreeBSD.ORG>; Sun, 5 Jul 1998 10:18:44 -0700 (PDT)
          (envelope-from ncb05@uow.edu.au)
Received: from banshee.cs.uow.edu.au (ncb05@banshee.cs.uow.edu.au [130.130.188.1])
	by wumpus.its.uow.edu.au (8.9.0.Beta5/8.9.0.Beta5) with SMTP id DAA19211;
	Mon, 6 Jul 1998 03:18:21 +1000 (EST)
Date: Mon, 6 Jul 1998 03:18:20 +1000 (EST)
From: Nicholas Charles Brawn <ncb05@uow.edu.au>
X-Sender: ncb05@banshee.cs.uow.edu.au
To: Jay Tribick <netadmin@fastnet.co.uk>
cc: freebsd-security@FreeBSD.ORG
Subject: Re: Increasing security by decreasing installed programs
In-Reply-To: <Pine.BSF.3.96.980704122943.263K-100000@smack.my.bitch.up.fast.net.uk>
Message-ID: <Pine.SOL.3.96.980706031242.20042B-100000@banshee.cs.uow.edu.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 4 Jul 1998, Jay Tribick wrote:

> 
> Hi all..
> 
> I think we all need to look closely at the default-installed
> suid/sgid programs. Why, by default, does FreeBSD install uucp*?
> There's not /that/ many people who use it and it would be much
> better as an optional components, especially as it runs suid/sgid.
> 
> Why not make the installation program let you select defaultly
> installed suid binaries individually (instead of just selecting
> the basic distribution, let us go one level down and select
> individual basic packages)?
> 
> Regards,
> 
> Jay Tribick <netadmin@fastnet.co.uk>
> 
> [| Network Administrator | FastNet International | http://fast.net.uk/ |]
> [|  PGPv5 RSA Key Available [2047bit] | Finger netadmin@fastnet.co.uk  |]
> [| T: +44 (0)1273 677633 F: +44 (0)1273 621631 e: netadmin@fast.net.uk |]
> [| ----={ PGPv5 Fingerprint := FA690E7762F0E62F38C6052CC387FFF3 }=---- |]
> 

Robert Watson's site - http://www.watson.org/fbsd-hardening/ covers (or at
least discusses this issue). However, I am in agreement with you that
there should be some sort of option to limit installation of default setuid 
and setgid programs during installation of a new freebsd system. Perhaps
some sort of "security" option that one could run after the installation
that would alert you about all setuid/setgid files and devices, and allow
you to remove priveledges and increase or modify default security settings?

Just my $0.02 :)

Nick

--
Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick 
Key fingerprint =  DE 30 33 D3 16 91 C8 8D  A7 F8 70 03 B7 77 1A 2A
"When in doubt, ask someone wiser than yourself..." -unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message