Date: Wed, 15 Apr 1998 12:10:49 -0500 From: Karl Denninger <karl@Mcs.Net> To: dima@best.net Cc: Bill Trost <trost@cloud.rain.com>, stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <19980415121049.17497@Mcs.Net> In-Reply-To: <199804151652.JAA00719@burka.rdy.com>; from Dima Ruban on Wed, Apr 15, 1998 at 09:52:58AM -0700 References: <19282.892651401@cloud.rain.com> <199804151652.JAA00719@burka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 15, 1998 at 09:52:58AM -0700, Dima Ruban wrote: > Bill Trost writes: > > Dima Ruban writes: > > Is there a particular reason of kernel being installed with 555 root/wheel > > permissions instead of 550 root/kmem ? > > > > If nobody has nothing against it - I'll commit the change. > > > > Is "/kernel" typically the first command in the pipe, or should it > > appear in the middle? (-: > > > > Maybe I am missing something, but I see no reason for /kernel to have > > the execute bits set. I doubt that the boot loader cares, and no one > > wants to actually execute the kernel when it's already running. > > Sure, 440 permissions are fine with me. > > > As for the world read permissions: Removing the read permissions seems > > like a gratuitious pseudo-security change. Is there any reason to > > prevent users from reading the kernel? Presumably, /usr/src/sys is > > In some case I don't want my users to read a kernel name list. > > > readable anyhow, so a person could build their own kernel with the same > > configuration, so they may as well just copy the running one. > > You do not always have /usr/src/sys on your machine. Especially > on a production enviroment. > > > Or, in other words -- if you are going to make a change, 0444 seems like > > the way to go. > > I'd say 0440 Agreed. -- -- Karl Denninger (karl@MCS.Net)| MCSNet - Serving Chicagoland and Wisconsin http://www.mcs.net/ | T1's from $600 monthly / All Lines K56Flex/DOV | NEW! Corporate ISDN Prices dropped by up to 50%! Voice: [+1 312 803-MCS1 x219]| EXCLUSIVE NEW FEATURE ON ALL PERSONAL ACCOUNTS Fax: [+1 312 803-4929] | *SPAMBLOCK* Technology now included at no cost To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980415121049.17497>