From owner-freebsd-security Wed Apr 15 09:53:24 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id JAA08143 for freebsd-security-outgoing; Wed, 15 Apr 1998 09:53:24 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA08039; Wed, 15 Apr 1998 16:53:01 GMT (envelope-from dima@burka.rdy.com) Received: by burka.rdy.com id JAA00719; (8.8.8/RDY) Wed, 15 Apr 1998 09:52:58 -0700 (PDT) Message-Id: <199804151652.JAA00719@burka.rdy.com> Subject: Re: kernel permissions In-Reply-To: <19282.892651401@cloud.rain.com> from Bill Trost at "Apr 15, 98 07:43:21 am" To: trost@cloud.rain.com (Bill Trost) Date: Wed, 15 Apr 1998 09:52:58 -0700 (PDT) Cc: stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG X-Class: Fast Organization: HackerDome Reply-To: dima@best.net From: dima@best.net (Dima Ruban) X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk Bill Trost writes: > Dima Ruban writes: > Is there a particular reason of kernel being installed with 555 root/wheel > permissions instead of 550 root/kmem ? > > If nobody has nothing against it - I'll commit the change. > > Is "/kernel" typically the first command in the pipe, or should it > appear in the middle? (-: > > Maybe I am missing something, but I see no reason for /kernel to have > the execute bits set. I doubt that the boot loader cares, and no one > wants to actually execute the kernel when it's already running. Sure, 440 permissions are fine with me. > As for the world read permissions: Removing the read permissions seems > like a gratuitious pseudo-security change. Is there any reason to > prevent users from reading the kernel? Presumably, /usr/src/sys is In some case I don't want my users to read a kernel name list. > readable anyhow, so a person could build their own kernel with the same > configuration, so they may as well just copy the running one. You do not always have /usr/src/sys on your machine. Especially on a production enviroment. > Or, in other words -- if you are going to make a change, 0444 seems like > the way to go. I'd say 0440 > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message