Date: Mon, 20 Apr 1998 23:23:00 +0000 From: Niall Smart <rotel@indigo.ie> To: Karl Denninger <karl@mcs.net>, Marc Slemko <marcs@znep.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <199804202223.XAA01129@indigo.ie> In-Reply-To: Karl Denninger <karl@mcs.net> "Re: suid/sgid programs" (Apr 19, 7:18pm)
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 19, 7:18pm, Karl Denninger wrote: } Subject: Re: suid/sgid programs > On Sun, Apr 19, 1998 at 12:25:40PM -0600, Marc Slemko wrote: > > On Sun, 19 Apr 1998, Karl Denninger wrote: > > > > Erm... but if someone wants to see what ccds are configured, they don't > > need to be root and shouldn't. > > > > Same thing with netstat, etc. > > Fine. Anyone who wants to do that can make them SGID kmem or as otherwise > appropriate. For the vast majority this is unnecessary. Even setting them setgid kmem is unnecessary, just setup a cronjob to periodically run ccdconfig > /var/config/ccd. The ability to do this kind of thing is just another reason why the argument for keeping them set[ug]id is such a crock. > (BTW, making something SGID kmem only allows READ access to kmem. Making > something SUID root gives it READ and WRITE access to anything, including > kernel and user memory along with all devices (assuming the securelevel is > set to -1)). Read access to kmem will translate into root for someone clueful enough eventually for example, through watching the (t|p)ty driver's buffers (difficult!) Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org Annoy your enemies and astonish your friends: echo "#define if(x) if (!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804202223.XAA01129>