From owner-freebsd-security  Mon Apr 20 15:28:22 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA10569
          for freebsd-security-outgoing; Mon, 20 Apr 1998 15:28:22 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from indigo.ie (nsmart@ts01-56.waterford.indigo.ie [194.125.139.119])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA10057
          for <freebsd-security@FreeBSD.ORG>; Mon, 20 Apr 1998 22:25:44 GMT
          (envelope-from rotel@indigo.ie)
Received: (from nsmart@localhost)
	by indigo.ie (8.8.8/8.8.7) id XAA01129;
	Mon, 20 Apr 1998 23:23:00 +0100 (IST)
	(envelope-from rotel@indigo.ie)
From: Niall Smart <rotel@indigo.ie>
Message-Id: <199804202223.XAA01129@indigo.ie>
Date: Mon, 20 Apr 1998 23:23:00 +0000
In-Reply-To: Karl Denninger  <karl@mcs.net>
       "Re: suid/sgid programs" (Apr 19,  7:18pm)
Reply-To: rotel@indigo.ie
X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96)
To: Karl Denninger  <karl@mcs.net>, Marc Slemko <marcs@znep.com>
Subject: Re: suid/sgid programs
Cc: freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Apr 19,  7:18pm, Karl Denninger wrote:
} Subject: Re: suid/sgid programs
> On Sun, Apr 19, 1998 at 12:25:40PM -0600, Marc Slemko wrote:
> > On Sun, 19 Apr 1998, Karl Denninger wrote:
> > 
> > Erm... but if someone wants to see what ccds are configured, they don't
> > need to be root and shouldn't.
> > 
> > Same thing with netstat, etc.
> 
> Fine.  Anyone who wants to do that can make them SGID kmem or as otherwise
> appropriate.  For the vast majority this is unnecessary.

Even setting them setgid kmem is unnecessary, just setup a cronjob
to periodically run ccdconfig > /var/config/ccd.  The ability to
do this kind of thing is just another reason why the argument for
keeping them set[ug]id is such a crock.

> (BTW, making something SGID kmem only allows READ access to kmem.  Making
> something SUID root gives it READ and WRITE access to anything, including
> kernel and user memory along with all devices (assuming the securelevel is
> set to -1)).

Read access to kmem will translate into root for someone clueful
enough eventually for example, through watching the (t|p)ty driver's
buffers (difficult!)


Niall


-- 
Niall Smart.        PGP: finger njs3@motmot.doc.ic.ac.uk
FreeBSD: Turning PC's into Workstations: www.freebsd.org
Annoy your enemies and astonish your friends:
echo "#define if(x) if (!(x))" >> /usr/include/stdio.h

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message