From owner-freebsd-stable  Wed Apr 15 20:57:24 1998
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA20717
          for freebsd-stable-outgoing; Wed, 15 Apr 1998 20:57:24 -0700 (PDT)
          (envelope-from owner-freebsd-stable@FreeBSD.ORG)
Received: from burka.rdy.com (dima@burka.rdy.com [205.149.163.30])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA20695;
          Wed, 15 Apr 1998 20:57:18 -0700 (PDT)
          (envelope-from dima@burka.rdy.com)
Received: by burka.rdy.com id UAA03077;
  (8.8.8/RDY) Wed, 15 Apr 1998 20:56:35 -0700 (PDT)
Message-Id: <199804160356.UAA03077@burka.rdy.com>
Subject: Re: kernel permissions
In-Reply-To: <199804160343.XAA06049@whizzo.TransSys.COM> from "Louis A. Mamakos" at "Apr 15, 98 11:43:24 pm"
To: louie@TransSys.COM (Louis A. Mamakos)
Date: Wed, 15 Apr 1998 20:56:35 -0700 (PDT)
Cc: dima@best.net, tsprad@set.spradley.tmi.net, trost@cloud.rain.com,
        stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
X-Class: Fast
Organization: HackerDome
Reply-To: dima@best.net
From: dima@best.net (Dima Ruban)
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk

Louis A. Mamakos writes:
> 
> > One more time. In some cases you don't want your users to read kernel
> > namelist. Generic kernel source code won't help.
> 
> So, chmod 440 /kernel on *your* system.
> 
> And how many cases are there where other programs installed on the system
> need to read the kernel namelist?  You'll break those by making a change
> in the distribution.

Every program that needs to have an access to the kernel namelist needs to
be sgid to kmem (if it's not already sgid to root). Otherwise it won't be
able to do _anything_ with this information.

Which means - this change is not going to break anything.

> > Another example. Do search on your local box for all the programs, that
> > don't allow 'others' to read the binary. Ever wonder why?
> 
> Hmm.. I found exactly 1 - suidperl.  This is hardly a compelling argument
> to change a well established convention.

What about suidperl?

> I don't dispute the utility to some for changing the permissions on the
> /kernel file, but it's just not clear this is a universally good idea.
> Next thing you know, you'll want to chmod 440 /etc/rc.conf :-)

Changing permissions on rc.conf won't do _any_ good.

> 
> louie
> 
> 
> 

-- dima

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message