Date: Wed, 15 Apr 1998 20:56:35 -0700 (PDT) From: dima@best.net (Dima Ruban) To: louie@TransSys.COM (Louis A. Mamakos) Cc: dima@best.net, tsprad@set.spradley.tmi.net, trost@cloud.rain.com, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <199804160356.UAA03077@burka.rdy.com> In-Reply-To: <199804160343.XAA06049@whizzo.TransSys.COM> from "Louis A. Mamakos" at "Apr 15, 98 11:43:24 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Louis A. Mamakos writes: > > > One more time. In some cases you don't want your users to read kernel > > namelist. Generic kernel source code won't help. > > So, chmod 440 /kernel on *your* system. > > And how many cases are there where other programs installed on the system > need to read the kernel namelist? You'll break those by making a change > in the distribution. Every program that needs to have an access to the kernel namelist needs to be sgid to kmem (if it's not already sgid to root). Otherwise it won't be able to do _anything_ with this information. Which means - this change is not going to break anything. > > Another example. Do search on your local box for all the programs, that > > don't allow 'others' to read the binary. Ever wonder why? > > Hmm.. I found exactly 1 - suidperl. This is hardly a compelling argument > to change a well established convention. What about suidperl? > I don't dispute the utility to some for changing the permissions on the > /kernel file, but it's just not clear this is a universally good idea. > Next thing you know, you'll want to chmod 440 /etc/rc.conf :-) Changing permissions on rc.conf won't do _any_ good. > > louie > > > -- dima To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199804160356.UAA03077>