From owner-freebsd-security Mon Apr 20 15:28:22 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA10569 for freebsd-security-outgoing; Mon, 20 Apr 1998 15:28:22 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts01-56.waterford.indigo.ie [194.125.139.119]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10057 for ; Mon, 20 Apr 1998 22:25:44 GMT (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id XAA01129; Mon, 20 Apr 1998 23:23:00 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199804202223.XAA01129@indigo.ie> Date: Mon, 20 Apr 1998 23:23:00 +0000 In-Reply-To: Karl Denninger "Re: suid/sgid programs" (Apr 19, 7:18pm) Reply-To: rotel@indigo.ie X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Karl Denninger , Marc Slemko Subject: Re: suid/sgid programs Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk On Apr 19, 7:18pm, Karl Denninger wrote: } Subject: Re: suid/sgid programs > On Sun, Apr 19, 1998 at 12:25:40PM -0600, Marc Slemko wrote: > > On Sun, 19 Apr 1998, Karl Denninger wrote: > > > > Erm... but if someone wants to see what ccds are configured, they don't > > need to be root and shouldn't. > > > > Same thing with netstat, etc. > > Fine. Anyone who wants to do that can make them SGID kmem or as otherwise > appropriate. For the vast majority this is unnecessary. Even setting them setgid kmem is unnecessary, just setup a cronjob to periodically run ccdconfig > /var/config/ccd. The ability to do this kind of thing is just another reason why the argument for keeping them set[ug]id is such a crock. > (BTW, making something SGID kmem only allows READ access to kmem. Making > something SUID root gives it READ and WRITE access to anything, including > kernel and user memory along with all devices (assuming the securelevel is > set to -1)). Read access to kmem will translate into root for someone clueful enough eventually for example, through watching the (t|p)ty driver's buffers (difficult!) Niall -- Niall Smart. PGP: finger njs3@motmot.doc.ic.ac.uk FreeBSD: Turning PC's into Workstations: www.freebsd.org Annoy your enemies and astonish your friends: echo "#define if(x) if (!(x))" >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message