From owner-freebsd-hackers  Mon Feb 24 23:58:22 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id XAA07293
          for hackers-outgoing; Mon, 24 Feb 1997 23:58:22 -0800 (PST)
Received: from sax.sax.de (sax.sax.de [193.175.26.33])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id XAA06928;
          Mon, 24 Feb 1997 23:54:36 -0800 (PST)
Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id IAA12832; Tue, 25 Feb 1997 08:54:20 +0100
Received: (from j@localhost)
	by uriah.heep.sax.de (8.8.5/8.8.5) id IAA04868;
	Tue, 25 Feb 1997 08:44:30 +0100 (MET)
Message-ID: <Mutt.19970225084429.j@uriah.heep.sax.de>
Date: Tue, 25 Feb 1997 08:44:29 +0100
From: j@uriah.heep.sax.de (J Wunsch)
To: adrian@cougar.aceonline.com.au (Adrian Chadd)
Cc: marcs@znep.com (Marc Slemko), hackers@freebsd.org, auditors@freebsd.org
Subject: Re: disallow setuid root shells?
References: <Pine.BSF.3.95.970224171452.14441E-100000@alive.znep.com> <Pine.LNX.3.93.970225093341.22261A-100000@cougar.aceonline.com.au>
X-Mailer: Mutt 0.55-PL10
Mime-Version: 1.0
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
In-Reply-To: <Pine.LNX.3.93.970225093341.22261A-100000@cougar.aceonline.com.au>; from Adrian Chadd on Feb 25, 1997 09:38:09 +0800
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

As Adrian Chadd wrote:

> Ahh ok I'll take a look at that when I get home. I however like the idea
> of logging all setuid programs when they are run, and at the kernel level
> as well. The only problem I can see is with the size of the logs, but if
> people think its a worthwhile thing I might have a look at implementing
> something, again when I get home.

If you do this:

. make it configurable via sysctl,
. don't turn it on by default.

I presume you're gonna log it at auth.info, but i for sure don't wanna
see each suid program with the same notification as each login.  In an
environment where you can basically trust your users, it's pointless
to log them, all you have to care is to not get breakins from outside.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)