From owner-freebsd-security  Fri Jan 26 12:01:47 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id MAA22503
          for security-outgoing; Fri, 26 Jan 1996 12:01:47 -0800 (PST)
Received: from gateway.fedex.com (gateway.fedex.com [198.80.10.2])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA22491
          for <security@FreeBSD.ORG>; Fri, 26 Jan 1996 12:01:40 -0800 (PST)
Received: by gateway.fedex.com id AA03214
  (InterLock SMTP Gateway 3.0 for security@FreeBSD.ORG);
  Fri, 26 Jan 1996 13:56:29 -0600
X-Disclaimer: THE COMMENTS CONTAINED IN THIS MESSAGE REFLECT THE VIEWS OF THE
                         WRITER AND ARE NOT NECESSARILY THE VIEWS OF
                                 FEDERAL EXPRESS CORPORATION.
Message-Id: <199601261956.AA03214@gateway.fedex.com>
Received: by gateway.fedex.com (Internal Mail Agent-2);
  Fri, 26 Jan 1996 13:56:29 -0600
Received: by gateway.fedex.com (Internal Mail Agent-1);
  Fri, 26 Jan 1996 13:56:29 -0600
X-Authentication-Warning: dpd08.dpd.fedex.com: Host localhost didn't use HELO protocol
To: Paul Richards <p.richards@elsevier.co.uk>
Cc: security@FreeBSD.ORG
Subject: Re: Ownership of files/tcp_wrappers port 
Date: Fri, 26 Jan 1996 13:58:36 -0600
From: William McVey <wam@fedex.com>
Sender: owner-security@FreeBSD.ORG
Precedence: bulk

Paul Richards wrote:
>guys, these are NFS problems. If you want to stop people su'ing to bin
>then map bin to nobody as well.

I don't think this is the right approach.  I believe it has been
shown that if the user 'bin' owns executables run by root, then
bin access equals root access.  I've not seen any reasons why a
bin owner is a good thing other than a supposedly seperation of
root privileges; however,  this "seperation" doesn't take any 
privileges away from root and therefore the 'bin' ownership isn't 
accomplishing anything.

I am at a lost as to why we'd want to build band-aids to gloss over
a problem, rather than the problem itself.  It has been mentioned
before that UNIX was designed to have a single well protected
administrative id (root).  Why would we want multiple accounts that
now need to have an equivalent amount of protection? You suggest
that we should fix the NFS to treat 'bin' special as well as root.
This is the wrong approach.  Root is treated special by NFS because
it *IS* special.  The 'bin' user is not inherently special other
than the fact that it has been made the owner of files that can be
used to break root.  The bug here is not that NFS treats 'bin' as
any other user since it *is* just a regular user (ie it's not uid
0).  The bug is that we allow the 'bin' user ownerships of files
that can break the 'root' account.  It's the ownership problem that
is the bug.

The original reason 'bin' was put on BSD systems in the first place
was to give prettier output in quot(1) messages.  People complained
about the change then, but were basically ignored.  It appears as
if quot(1) isn't even distributed anymore (at least not on the user
level distribution) so I don't think this is a big deal anymore.
Even if it was still distributed, I don't think the original
motiviation for the change is worth the security exposure it
presents.

 -- William