Date: Fri, 26 Jan 1996 13:58:36 -0600 From: William McVey <wam@fedex.com> To: Paul Richards <p.richards@elsevier.co.uk> Cc: security@FreeBSD.ORG Subject: Re: Ownership of files/tcp_wrappers port Message-ID: <199601261956.AA03214@gateway.fedex.com>
next in thread | raw e-mail | index | archive | help
Paul Richards wrote: >guys, these are NFS problems. If you want to stop people su'ing to bin >then map bin to nobody as well. I don't think this is the right approach. I believe it has been shown that if the user 'bin' owns executables run by root, then bin access equals root access. I've not seen any reasons why a bin owner is a good thing other than a supposedly seperation of root privileges; however, this "seperation" doesn't take any privileges away from root and therefore the 'bin' ownership isn't accomplishing anything. I am at a lost as to why we'd want to build band-aids to gloss over a problem, rather than the problem itself. It has been mentioned before that UNIX was designed to have a single well protected administrative id (root). Why would we want multiple accounts that now need to have an equivalent amount of protection? You suggest that we should fix the NFS to treat 'bin' special as well as root. This is the wrong approach. Root is treated special by NFS because it *IS* special. The 'bin' user is not inherently special other than the fact that it has been made the owner of files that can be used to break root. The bug here is not that NFS treats 'bin' as any other user since it *is* just a regular user (ie it's not uid 0). The bug is that we allow the 'bin' user ownerships of files that can break the 'root' account. It's the ownership problem that is the bug. The original reason 'bin' was put on BSD systems in the first place was to give prettier output in quot(1) messages. People complained about the change then, but were basically ignored. It appears as if quot(1) isn't even distributed anymore (at least not on the user level distribution) so I don't think this is a big deal anymore. Even if it was still distributed, I don't think the original motiviation for the change is worth the security exposure it presents. -- William
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601261956.AA03214>