From owner-freebsd-security Sun Oct 31 19:36:47 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 2793E14A16 for ; Sun, 31 Oct 1999 19:36:42 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40332>; Mon, 1 Nov 1999 14:31:18 +1100 Content-return: prohibited Date: Mon, 1 Nov 1999 14:36:32 +1100 From: Peter Jeremy Subject: Re: Examining FBSD set[ug]ids and their use In-reply-to: <14364.64172.638014.558487@anarcat.dyndns.org> To: Spidey Cc: freebsd-security@FreeBSD.ORG Reply-To: peter.jeremy@alcatel.com.au Message-Id: <99Nov1.143118est.40332@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0pre3i Content-type: text/plain; charset=us-ascii References: <14364.64172.638014.558487@anarcat.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Nov-01 13:27:56 +1100, Spidey wrote: >I started 'compiling' some info about the use of the setuid and setgid >files in FreeBSD. An excellent idea. Note that some of the files you specify are ports. As a general rule, anything that is setgid kmem should be converted to a new sysctl with an unprivileged task to access it. ># Allow users to see processes? Users cannot see the 'STARTED' and ># 'TIME' columns, from ps aux... I don't want to dig much more.. > ps gname=kmem mode=2555 I believe it's necessary for users to see other users' processes. The information should probably be available via /proc instead. ># I don't have a ccd... I can't test this. > ccdconfig gname=kmem Probably unnecessary. No-one but root needs to be able to run ccdconfig. ># Allow users to dump on remote (see dump(1), the BUGS section) > dump gname=tty > rdump gname=tty > restore gname=tty > rrestore gname=tty As I recall it, this is to allow dump/restore to write to the console (and wake up the operator) when it needs feeding. ># Allow users to bind on a socket (which? where?) > ping mode=4555 Needed to allow ordinary mortals to sent raw IP (ICMP) packets. ># Allow users to consult routing tables > route mode=4555 Needed to allow ordinary mortals to access the routing socket. This is probably another sysctl candidate. ># ????? Look what's here?! > Xwrapper mode=4711 This is a wrapper for the X-server. The idea is that Xwrapper is slightly smaller :-) and less subject to security holes. ># Allow users to read master.passwd, skeykeys and probably other ># things... > login Necessary to allow users to log in as another user. ># Allow users to read the mail queue ># Again, this is part of the sendmail suite and _can_ be replaced :) > mailq Hard link to newaliases and sendmail. Only needs root for local mail delivery in the absence of a setuid local delivery agent. (It's fairly trivial to sandbox sendmail). ># Allow users to use the catman cache ^^^ update > man uname=man ># Allow users to 'read' /etc/master.passwd > su Actually it's to allow users to change thir uid. ># I never understood what uucp was.... >/set mode=4555 uname=uucp gname=wheel > uucp > uuname > uustat gname=dialer mode=6555 > uux UUCP lives in it's own sandbox. ># "Gaming" management > dm All games live in their own group for sandboxing. ># This is the sendmail super-program that does everything. Get rid of ># it, install postfix.. :) Religious comments don't belong in a file being touted as a part of generic FreeBSD. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message