Date: Thu, 25 Jan 1996 01:15:57 -0600 From: William McVey <wam@fedex.com> To: James Seng <jseng@stf.org.sg> Cc: security@freebsd.org Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <199601250713.AA27853@gateway.fedex.com>
next in thread | raw e-mail | index | archive | help
James Seng wrote: >Perhaps i think root have too much power? It seem like none or all solution. >In this aspect VMS is better i guess. Making a bin owner for system files does not fix this. Root's privileges come from a fundemental design of the operating system. I'm really skeptical that this could be corrected by user level changes on owners. The simple fact is you aren't taking any privileges away from root by creating the bin account. Root can always become 'bin' therefore putting your trust in the bin account doesn't keep root from being all powerful. >In that case, i guess the system admin should wake up a bit *8) Anyone >who see bin in that wtmp got to do something fast... The point is that wtmp is a detection tool. Once bin has logged in, its a straight path to root and wtmp is likely to be fixed to remove any indication of wrong doing. The real solution is to focus on prevention of the problem, not detection. The way to prevent this is to set the owners of critical system files (system binaries included) to be root. >It is funny that we have access control on telnetd (or is it >logind?), that is who and who is able to login thru telnet, but we have no >access control on rlogin, rsh etc...hmm... We have user level access control on telnet? How? The user isn't defined in starting a telnet session until the network has connected you to login. I think you may be confusing our recent discussions of tcpd, which does host based access control. But this is available on the rsh suite of tools as well. >> It hurts security. I still have yet to hear a good reason why bin ownership >> has even one advantage over root. >Lets see...because we dont like root to have too much privelliges? *8)))))) >(sorry, i couldnt think of a good reason either but i support the idea for > bin to own binaries..hehe *8) I assume the smileys indicate massive sarcasm. -- William
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601250713.AA27853>