From owner-freebsd-security Fri Jan 26 01:37:54 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id BAA26593 for security-outgoing; Fri, 26 Jan 1996 01:37:54 -0800 (PST) Received: from toadflax.cs.ucdavis.edu (toadflax.cs.ucdavis.edu [128.120.56.188]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id BAA26586 for ; Fri, 26 Jan 1996 01:37:50 -0800 (PST) Received: by toadflax.cs.ucdavis.edu (4.1/UCD.CS.2.6) id AA00228; Fri, 26 Jan 96 01:37:35 PST From: obrien@cs.ucdavis.edu (David E. O'Brien) Message-Id: <9601260937.AA00228@toadflax.cs.ucdavis.edu> Subject: Re: Ownership of files/tcp_wrappers port To: security@freebsd.org Date: Fri, 26 Jan 1996 01:37:32 -0800 (PST) In-Reply-To: <199601250134.AA23162@gateway.fedex.com> from "William McVey" at Jan 24, 96 07:36:57 pm X-Mailer: ELM [version 2.4 PL24 ME8b] Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > If you're paranoid, your NFS mounts are nosuid. I'd say bin was of > comparable secureness to root. Root is, however, more likely to be stupid > and use their password in cleartext over the 'net or be shoulder-snooped. Nope, I've used the NFS mount someone's disk on my machine where I have root, several times to fix problems when the other "sysadmins" didn't maintain their boxes very well. Much easier than trying to explain to them how to fix things. I did this with OUT sniffing or shoulder-snooping. In fact NFS'ing and su bin'ing is _SO_ much easier. Exporting read-only would help reduce this ability, but if I remember correctly, there is a bug/hole where you can still trick out NFS to write to such an exported disk. As demonistrated by Nathan Lawson , having system binaries owned by ``bin'' has serious security flaws that would be reduced by having them owned by ``root'', the *real* question is how do we go about _offically_ changing this? Petition JKH? Find a sympathic ear on the Core team? -- David (obrien@cs.ucdavis.edu)