Date: Mon, 30 Sep 1996 12:43:09 -0400 From: Garrett Wollman <wollman@lcs.mit.edu> To: Marc Slemko <marcs@znep.com> Cc: freebsd-security@FreeBSD.ORG Subject: setuid programs in freebsd Message-ID: <9609301643.AA22082@halloran-eldar.lcs.mit.edu> In-Reply-To: <Pine.BSF.3.95.960929214259.16956L-100000@alive.ampr.ab.ca> References: <Pine.BSF.3.95.960929214259.16956L-100000@alive.ampr.ab.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Sun, 29 Sep 1996 21:55:48 -0600 (MDT), Marc Slemko <marcs@znep.com> said: > chpass, chfn, chsh, ypchpass, ypchfn and ypchsh are links to the same file. > USE: Used to change various information in the password file. > IMPACT: If the setuid flag is removed, users will be unable to change > information in the password file. Should specifically state which information can be modified by users. > COMMENTS: *** Pointer to S/Key info. *** Does S/Key need to be setuid > root? It needs to be set-id something, in order to be able to modify the /etc/skeykeys file. Since `login' is already root, it does not make sense to me to create a special user for this file. > 7843 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/lock > IMPACT: *** None?!?! (won't let user use login password to disable) Bzzzt. Any program which needs to verify a password must be root because non-root users cannot read /etc/spwd.db. > usability. ** add not on rlogin and host based auth in general? > USE: rsh is similar to rlogin in that it allows remote execution of > commands, however rsh can not be used with interactive commands. *** > fix up Correctly stated: rsh cannot be used with commands that expect to interact with a terminal. > COMMENTS: In many environments, rsh can not be disabled without having > an unacceptable impact on system usability. More comments: the principal r* commands (rcp, rsh, rlogin) are equipped to do Kerberos authentication and encryption if the user has installed that distribution subset. If Kerberos is working properly to all destinations of interest, the set-uid bit can be removed with no impact on functionality. (It only comes into play when the Kerberos-authenticated mechanism fails and the programs fall back to rcmd(3).) > 7901 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:31 ./usr/bin/su More comments: If the `su' program is build with the WHEEL_SU option, or Kerberos is in use AND the local host has an rcmd.hostname key in /etc/srvtab AND root has a .klogin file AND the user has a username.root instance which is listed in said .klogin file, users in group wheel becoming root can authenticate with their own passwords. (For Kerberized su to root, it would be with username.root's password, not necessarily the same as username.'s password.) The WHEEL_SU facility is perhaps most valuable in conjunction with S/Key, since it allows authorized users to use their own private S/Key one-time pads to become root, thus making remote administration more secure. > 76850 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:22 ./usr/libexec/mail.local > COMMENTS: *** related to sendmail, setgid possibilities None. mail.local has to be able to create the mailbox if it doesn't exist, and it won't be able to chown it to the appropriate user if it doesn't have root. > 207 352 -r-sr-xr-x 1 root bin 172032 Jul 16 20:15 ./bin/rcp > USE: Used to copy files across the network. > IMPACT: Removing the setuid flag results in users other than root being > unable to use rcp. See above. > 734 288 -r-sr-xr-x 1 root bin 139264 Jul 16 20:24 ./sbin/mount_msdos > IMPACT: removing the setuid flag results in users other than root being > unable to mount DOS filesystems. Additional comments: this is done securely inside the kernel without the need for set-id mount programs in Lite2. -GAWollman -- Garrett A. Wollman | O Siem / We are all family / O Siem / We're all the same wollman@lcs.mit.edu | O Siem / The fires of freedom Opinions not those of| Dance in the burning flame MIT, LCS, ANA, or NSA| - Susan Aglukark and Chad Irschick
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9609301643.AA22082>