Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 15 Apr 1998 09:52:58 -0700 (PDT)
From:      dima@best.net (Dima Ruban)
To:        trost@cloud.rain.com (Bill Trost)
Cc:        stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: kernel permissions
Message-ID:  <199804151652.JAA00719@burka.rdy.com>
In-Reply-To: <19282.892651401@cloud.rain.com> from Bill Trost at "Apr 15, 98 07:43:21 am"

next in thread | previous in thread | raw e-mail | index | archive | help
Bill Trost writes:
> Dima Ruban writes:
>     Is there a particular reason of kernel being installed with 555 root/wheel
>     permissions instead of 550 root/kmem ?
>     
>     If nobody has nothing against it - I'll commit the change.
> 
> Is "/kernel" typically the first command in the pipe, or should it
> appear in the middle?  (-:
> 
> Maybe I am missing something, but I see no reason for /kernel to have
> the execute bits set.  I doubt that the boot loader cares, and no one
> wants to actually execute the kernel when it's already running.

Sure, 440 permissions are fine with me.

> As for the world read permissions:  Removing the read permissions seems
> like a gratuitious pseudo-security change.  Is there any reason to
> prevent users from reading the kernel?  Presumably, /usr/src/sys is

In some case I don't want my users to read a kernel name list.

> readable anyhow, so a person could build their own kernel with the same
> configuration, so they may as well just copy the running one.

You do not always have /usr/src/sys on your machine. Especially
on a production enviroment.

> Or, in other words -- if you are going to make a change, 0444 seems like
> the way to go.

I'd say 0440

> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804151652.JAA00719>