Date: Thu, 16 Dec 1999 14:18:18 -0500 (EST) From: Spidey <beaupran@iro.umontreal.ca> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Warner Losh <imp@village.org>, Chris England <cengland@obscurity.org>, freebsd-security@FreeBSD.ORG Subject: Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) Message-ID: <14425.15098.737556.573749@anarcat.dyndns.org> References: <14425.12637.308602.637788@anarcat.dyndns.org> <Pine.BSF.3.96.991216135055.26813G-100000@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
I really think that this would be a _great_ improvement.
I would be ready to donate time to this. :))
Should I start patching? :)
--- Big Brother told Robert Watson to write, at 13:56 of December 16:
> On Thu, 16 Dec 1999, Spidey wrote:
>
> > Yes. Since I've been looking at setuid's on FBSD, my primary concern's
> > been with the ports. I wished there could be some way to have a
> > variable in the Makefiles that say "NOSETUID=YES". :))
> >
> > We should make a a definite list of all the setuid's in the whole port
> > tree. Maybe the port maintainers can give a hand?
> >
> > Darn.. déjà vu...
>
> Yup, it's déjà vu all over again. If you want a heavy-handed security
> approach, here's how you do it. Define two new Makefile ports variables:
>
> HAS_MISC_SET_ID= {yes,no}
> HAS_ROOT_SETUID= {yes,no}
>
> Starting today, warn all ports maintainers that their ports must (ideally
> correctly) define these variables for all of their ports. In two weeks,
> any port that doesn't define both variables is marked as broken. After
> one week, we introduce a check in the package building procedure that
> checks for any setuid or setgid binaries in the installed version. If the
> variable value reported is wrong, the port is marked as broken.
>
> We then have an effective and mandated list of ports making use of set?id
> binaries. Each one of these ports undergoes a security view by the
> auditing team--not to fix bugs, just to identify whether the source code
> is prone to bugs (extensive use of string functions in unsafe ways, etc)
> -- a twenty minute thing. If it's found to be unsafe, the port is marked
> as unsafe, meaning that packages are not autobuilt for it, and that a user
> attempting to install the port is *loudly* warned that the code is unsafe,
> and they must confirm the install by using make unsafe-install.
>
> That's heavy-handed security for you: mandate identification of problems
> and correctness.
>
> This doesn't address daemons (imapd, etc) that also run privileged, but is
> a good first step.
>
> Robert N M Watson
>
> robert@fledge.watson.org http://www.watson.org/~robert/
> PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1
> TIS Labs at Network Associates, Safeport Network Services
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
--
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir
Lofofora
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14425.15098.737556.573749>