From owner-freebsd-hackers  Mon Feb 24 13:43:42 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA20875
          for hackers-outgoing; Mon, 24 Feb 1997 13:43:42 -0800 (PST)
Received: from nic.follonett.no (nic.follonett.no [194.198.43.10])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA20516;
          Mon, 24 Feb 1997 13:36:51 -0800 (PST)
Received: (from uucp@localhost) by nic.follonett.no (8.8.5/8.8.3) with UUCP id WAA20924; Mon, 24 Feb 1997 22:34:10 +0100 (MET)
Received: from oo7 (oo7.dimaga.com [192.0.0.65]) by dimaga.com (8.8.5/8.7.2) with SMTP id WAA27429; Mon, 24 Feb 1997 22:36:40 +0100 (MET)
Message-Id: <3.0.32.19970224223639.00b243d0@dimaga.com>
X-Sender: eivind@dimaga.com
X-Mailer: Windows Eudora Pro Version 3.0 (32)
Date: Mon, 24 Feb 1997 22:36:40 +0100
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
From: Eivind Eklund <eivind@dimaga.com>
Subject: Re: disallow setuid root shells? 
Cc: Warner Losh <imp@village.org>, Julian Elischer <julian@whistle.com>,
        Adrian Chadd <adrian@obiwan.aceonline.com.au>,
        Jake Hamby <jehamby@lightside.com>, hackers@freebsd.org,
        auditors@freebsd.org
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

At 01:22 PM 2/24/97 -0800, Jordan K. Hubbard wrote:
>> I think that I like this better.  There are many people that use a
>> setuid/setgid shell program to allow access to other programs on the
>> system.  At least this was true before sudo and friends.
>
>I could also live with this.  I have thought a bit more about
>supporting the exit-on-suid shell hack, and I have to also agree with
>some of the folks who point out that it really *would* violate POLA
>and veer dangerously close to just breaking something in support of
>arbitrary principles rather than good engineering.  Feh.  This is
>clearly one of those issues with lots of pros-and-cons on either
>side. :-)
>
>How about if we be conservative and just add logging for now? :-)

I actually think logging could be much more effective than just exiting -
with logging (especially remote logging) you'd actually have a trace of how
the intruder got in, and standard exploits would probably still use /bin/sh
to give a root shell (they're usually made to demonstrate a point, not to
create good intruder tools).  Any luser that use a standard exploit will
end up in the log file on another host *grin*.

I'd really like it to log the remote address for the session if available -
nice to have for a later manhunt...



Eivind Eklund perhaps@yes.no http://maybe.yes.no/perhaps/ eivind@freebsd.org