From owner-freebsd-hackers  Mon Feb 24 13:07:32 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA17974
          for hackers-outgoing; Mon, 24 Feb 1997 13:07:32 -0800 (PST)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA17768;
          Mon, 24 Feb 1997 13:04:09 -0800 (PST)
Received: from current1.whistle.com (current1.whistle.com [207.76.205.22])
          by alpo.whistle.com (8.8.5/8.8.4) with SMTP
	  id KAA17994; Mon, 24 Feb 1997 10:48:29 -0800 (PST)
Message-ID: <3311E1FD.167EB0E7@whistle.com>
Date: Mon, 24 Feb 1997 10:46:21 -0800
From: Julian Elischer <julian@whistle.com>
Organization: Whistle Communications
X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386)
MIME-Version: 1.0
To: Adrian Chadd <adrian@obiwan.aceonline.com.au>
CC: Jake Hamby <jehamby@lightside.com>, hackers@freebsd.org,
        auditors@freebsd.org
Subject: Re: disallow setuid root shells?
References: <Pine.BSF.3.95q.960108043026.5974A-100000@obiwan.aceonline.com.au>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Adrian Chadd wrote:
> 
> On Sun, 23 Feb 1997, Jake Hamby wrote:

> > access.  Under Solaris, I've discovered that none of the standard shells
> > will allow a user to gain root privileges through a setuid root shell!
> >
> > The sh and ksh shells will run, but the user will have their normal
> > privileges.  Csh (and interestingly enough tcsh) print "Permission denied"
> > and exit when run with the setuid bit set.
> >
> 
> Since i'm reviewing /bin/sh and /bin/csh, it might make an interesting
> addition. Anyone see any use for +s'ed shells ? Anything it can do, sudo
> can do (and sudo AFAIK is much smaller, so less code to screw around
> with), and I think its a good idea.
> 
> Suggestions ?

well the security audit should pick up any new suid files each night,
and if they broke root they're not going to have any problem
writing something simpler, but I guess the question is:

Does it make it more inconvenient for them?
does it make it more likely that they will slip up?
does is also make it much more inconvenient for OTHER people? (legit
users)

personally it breaks the principle of least surprise..
forces people to develop other methods 
and thereby muddies the waters..

It's not a bad I dea but I'd vote against it..
(however I MIGHT think about adding LOGGING of such an event? :)
(in the same way that su logs.)

>