From owner-freebsd-security Sun Nov 15 22:39:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25821 for freebsd-security-outgoing; Sun, 15 Nov 1998 22:39:48 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA25813 for ; Sun, 15 Nov 1998 22:39:44 -0800 (PST) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail.siemens.de (salomon.siemens.de [139.23.33.13]) by david.siemens.de (8.9.1a/8.9.1) with ESMTP id HAA00846 for ; Mon, 16 Nov 1998 07:39:17 +0100 (MET) Received: from curry.mchp.siemens.de (daemon@curry.mchp.siemens.de [146.180.31.23]) by mail.siemens.de (8.9.1a/8.9.1) with ESMTP id HAA24850 for ; Mon, 16 Nov 1998 07:39:19 +0100 (MET) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.8.8/8.8.8) id HAA15536 for ; Mon, 16 Nov 1998 07:39:19 +0100 (CET) Message-ID: <19981116073914.F969@internal> Date: Mon, 16 Nov 1998 07:39:14 +0100 From: Andre Albsmeier To: Terry Lambert , Matthew Dillon Cc: andre.albsmeier@mchp.siemens.de, freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? References: <199811151758.JAA15108@apollo.backplane.com> <199811152257.PAA02868@usr05.primenet.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199811152257.PAA02868@usr05.primenet.com>; from Terry Lambert on Sun, Nov 15, 1998 at 10:57:20PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 15, 1998 at 10:57:20PM +0000, Terry Lambert wrote: > > :while installing xlockmore, I noticed that its mode is 4111 for root. > > :... > > : > > :Wouldn't it be generally a good idea to make the /etc/spwd.db and > > :the /etc/master.passwd file 640 and give them to a newly created > > : > > :root@voyager:~>ll /usr/X11R6/bin/xlock > > :---x--s--x 1 root pw - 126976 Oct 1 08:17 /usr/X11R6/bin/xlock* > > : > > :What do you think? Will it make my systems more insecure with the > > :above stuff or not? If not, wouldn't it make sense to incorporate > > :the changes into FreeBSD? IMHO they break nothing since all programs > > > > I think this is an excellent idea. A similar method is used for > > the 'operator' group, to allow the dumper to dump disks without > > giving him write access to them. > > > There are several holes in the theory. The number one hole is > that if I'm trusting you to read the engrpted passwords, I'm > trusting you to not run "crack" (or whatever) against the > password file. Basically, DES is insecure enough tese days that > if I trust you with read access, I'm effectively trusting you > with the root password (if you had access to the EFF hardware, > you could obtain root in less than an hour). Sure, I don't say my theory makes a system 100% secure. But I think there are benefits because you have to perform additional steps to become root. You have to crack the encrypted root pw and not everyone has an EFF machine at home :-). Now you can write to the pw file directly as soon as you compromise the setuid root program. -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message