Date: Fri, 26 Jan 1996 01:37:32 -0800 (PST) From: obrien@cs.ucdavis.edu (David E. O'Brien) To: security@freebsd.org Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <9601260937.AA00228@toadflax.cs.ucdavis.edu> In-Reply-To: <199601250134.AA23162@gateway.fedex.com> from "William McVey" at Jan 24, 96 07:36:57 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> If you're paranoid, your NFS mounts are nosuid. I'd say bin was of > comparable secureness to root. Root is, however, more likely to be stupid > and use their password in cleartext over the 'net or be shoulder-snooped. Nope, I've used the NFS mount someone's disk on my machine where I have root, several times to fix problems when the other "sysadmins" didn't maintain their boxes very well. Much easier than trying to explain to them how to fix things. I did this with OUT sniffing or shoulder-snooping. In fact NFS'ing and su bin'ing is _SO_ much easier. Exporting read-only would help reduce this ability, but if I remember correctly, there is a bug/hole where you can still trick out NFS to write to such an exported disk. As demonistrated by Nathan Lawson <nlawson@statler.csc.calpoly.edu>, having system binaries owned by ``bin'' has serious security flaws that would be reduced by having them owned by ``root'', the *real* question is how do we go about _offically_ changing this? Petition JKH? Find a sympathic ear on the Core team? -- David (obrien@cs.ucdavis.edu)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9601260937.AA00228>