From owner-freebsd-hackers Mon May 19 22:12:01 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id WAA12722 for hackers-outgoing; Mon, 19 May 1997 22:12:01 -0700 (PDT) Received: from bunyip.cc.uq.edu.au (daemon@bunyip.cc.uq.edu.au [130.102.2.1]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA12672 for ; Mon, 19 May 1997 22:11:50 -0700 (PDT) Received: (from daemon@localhost) by bunyip.cc.uq.edu.au (8.8.5/8.8.5) id PAA02050 for freebsd-hackers@freebsd.org; Tue, 20 May 1997 15:11:46 +1000 Received: from localhost.devetir.qld.gov.au by ogre.dtir.qld.gov.au (8.7.5/DEVETIR-E0.3a) with SMTP id PAA16611 for ; Tue, 20 May 1997 15:11:28 +1000 (EST) Message-Id: <199705200511.PAA16611@ogre.dtir.qld.gov.au> To: freebsd-hackers@freebsd.org Subject: Re: drwxr-xr-x 2 bin bin /usr/sbin References: <199705191535.TAA23174@ns.cs.msu.su> In-Reply-To: <199705191535.TAA23174@ns.cs.msu.su> from "Sergei S. Laskavy" at "Mon, 19 May 1997 15:35:35 +0000" Date: Tue, 20 May 1997 15:11:27 +1000 From: Stephen McKay Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Monday, 19th May 1997, Sergei S. Laskavy wrote: >eric@Sendmail.ORG said, that > >+----------------------------------------------+ >| For security reasons, /, /usr, and /usr/sbin | >| should be owned by root, mode 755. | >+----------------------------------------------+ > >I think that someone can gain "bin" and then replace > /usr/sbin/GOOD_PROGGY >by > /usr/sbin/EVIL_PROGGY Well, I've not had a chance to rant about this yet... Of course, you are correct. Having /bin (and/or its contents) owned by bin rather than root just adds another method for attacking your system. Everything should be owned by root unless there is a good reason for it to be owned by some other uid. Usually this "good reason" is to provide a safer uid to setuid to, such as "games" or "uucp", that can cause less damage when hacked or just broken by bugs. Hacking a game can still compromise the game playing system administrator, which will then yield root, but it takes longer and there is more chance of detection. The counter argument that I have heard is that it makes setuid root programs stand out from the field of bin owned programs. Nobody should be relying on eyeballing directories for this. That's what tripwire is for. And if you are trusting your ls binary, you can trust your tripwire binary... Stephen.