From owner-freebsd-security  Thu Jan 25 03:40:29 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id DAA18529
          for security-outgoing; Thu, 25 Jan 1996 03:40:29 -0800 (PST)
Received: from skiddaw.elsevier.co.uk (skiddaw.elsevier.co.uk [193.131.222.60])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id DAA18524
          for <security@FreeBSD.org>; Thu, 25 Jan 1996 03:40:24 -0800 (PST)
Received: from snowdon.elsevier.co.uk (snowdon.elsevier.co.uk [193.131.197.164]) by skiddaw.elsevier.co.uk (8.6.12/8.6.12) with ESMTP id LAA02746 for <security@FreeBSD.org>; Thu, 25 Jan 1996 11:38:35 GMT
Received: from cadair.elsevier.co.uk (actually host cadair) by snowdon 
          with SMTP (PP); Thu, 25 Jan 1996 11:38:45 +0000
Received: (from dpr@localhost) by cadair.elsevier.co.uk (8.6.12/8.6.12) 
          id LAA24328 for security@FreeBSD.org; Thu, 25 Jan 1996 11:38:48 GMT
From: Paul Richards <p.richards@elsevier.co.uk>
Message-Id: <199601251138.LAA24328@cadair.elsevier.co.uk>
Subject: bin owned files
To: security@FreeBSD.org
Date: Thu, 25 Jan 1996 11:38:47 +0000 (GMT)
X-Mailer: ELM [version 2.4 PL24]
Content-Type: text
Sender: owner-security@FreeBSD.org
Precedence: bulk

I'l summarise all the point against what I said briefly.

Getting bin access does not give you root access. As bin you can't
touch root files and you can't create a suid root file either. Users can't
give away ownership. Therefore, the only way to get root access from
bin is to replace, say, /bin/sh with a program that creates a suid root
sh *when it is run by root*. If you log in as root and don't realise that
there has been a compromise of bin then that is your problem but in and
of itself a bin compromise is safer than a root compromise for the
reasons I previously explained.

All other arguments relate to NFS and I refuse to even discuss NFS in this
context. If you crack root anywhere on an NFS system then the whole
system is compromised and while making things owned by root makes it
a little harder it is no protection. I can masquerade as many other users
and find other ways to do what I want. The whole point is, there *was*
a root break-in, the fact that it wasn't the actual server box is not an
issue. NFS cannot be regarded as a number of separate machines from
a security context, a compromise on one is a compromise on them all.

-- 
  Paul Richards. Originative Solutions Ltd.
  Internet: paul@netcraft.co.uk, http://www.netcraft.co.uk
  Phone: 0370 462071 (Mobile), +44 1225 447500 (work)