From owner-freebsd-security  Sun Jan 24 16:11:55 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA12706
          for freebsd-security-outgoing; Sun, 24 Jan 1999 16:11:55 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id QAA12697
          for <freebsd-security@freebsd.org>; Sun, 24 Jan 1999 16:11:53 -0800 (PST)
          (envelope-from imp@village.org)
Received: from harmony [10.0.0.6] 
	by rover.village.org with esmtp (Exim 1.71 #1)
	id 104Zcw-00027b-00; Sun, 24 Jan 1999 17:11:38 -0700
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.1/8.8.3) with ESMTP id RAA06600; Sun, 24 Jan 1999 17:09:58 -0700 (MST)
Message-Id: <199901250009.RAA06600@harmony.village.org>
To: Coranth Gryphon <gryphon@healer.com>
Subject: Re: bin Directory Ownership 
Cc: cjclark@home.com, freebsd-security@FreeBSD.ORG
In-reply-to: Your message of "Sat, 23 Jan 1999 11:49:40 PST."
		<36AA27D4.C65CE38@healer.com> 
References: <36AA27D4.C65CE38@healer.com>  <199901230414.XAA02392@cc942873-a.ewndsr1.nj.home.com> 
Date: Sun, 24 Jan 1999 17:09:57 -0700
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

bin owned files can be more insecure than root owned files.  How you
ask?  nfs is one way.  When you have bin owned files, they can be
changed remotely by the user bin.  However, unless you specifically
enable trusting remote root, root owned files cannot be changed like
that.  Diskless machines would create a possible vulnerability here if
one of them was compromised.

It has been argued that root owned files are vulnerable when someone
breaks root.  This is true.  However, bin owned files are also
vulnerable to change when root is broken.  When bin is broken, bin
owned files are also vulnerable.

Having root owned files in directories owned by another user can be a
small weakness.  Those files would be vulnerable to being removed or
renamed by the user who owns the directory.  This would allow that
user to substitute their own files in place of the ones owned by
root.  So it is undesirable to have this slight vulnerablity.

That's why -current (3.0 release and newer) has changed the ownership
from bin to root.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message