Date: Wed, 15 Apr 1998 09:52:58 -0700 (PDT) From: dima@best.net (Dima Ruban) To: trost@cloud.rain.com (Bill Trost) Cc: stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <199804151652.JAA00719@burka.rdy.com> In-Reply-To: <19282.892651401@cloud.rain.com> from Bill Trost at "Apr 15, 98 07:43:21 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Trost writes: > Dima Ruban writes: > Is there a particular reason of kernel being installed with 555 root/wheel > permissions instead of 550 root/kmem ? > > If nobody has nothing against it - I'll commit the change. > > Is "/kernel" typically the first command in the pipe, or should it > appear in the middle? (-: > > Maybe I am missing something, but I see no reason for /kernel to have > the execute bits set. I doubt that the boot loader cares, and no one > wants to actually execute the kernel when it's already running. Sure, 440 permissions are fine with me. > As for the world read permissions: Removing the read permissions seems > like a gratuitious pseudo-security change. Is there any reason to > prevent users from reading the kernel? Presumably, /usr/src/sys is In some case I don't want my users to read a kernel name list. > readable anyhow, so a person could build their own kernel with the same > configuration, so they may as well just copy the running one. You do not always have /usr/src/sys on your machine. Especially on a production enviroment. > Or, in other words -- if you are going to make a change, 0444 seems like > the way to go. I'd say 0440 > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804151652.JAA00719>