Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 17 Dec 1999 09:27:18 +1100
From:      Peter Jeremy <peter.jeremy@alcatel.com.au>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) )
Message-ID:  <99Dec17.091851est.40344@border.alcanet.com.au>
In-Reply-To: <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca>; from mike@sentex.net on Fri, Dec 17, 1999 at 06:30:31AM %2B1100
References:  <14425.12035.757889.422296@anarcat.dyndns.org> <199912160615.XAA69151@harmony.village.org> <Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org> <199912161828.LAA72864@harmony.village.org> <14425.12637.308602.637788@anarcat.dyndns.org> <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 1999-Dec-17 06:30:31 +1100, Mike Tancsa <mike@sentex.net> wrote:
>Even the main tree seems a big permissive for some applications (in my
>case, an ISP).

Much of this is really that our install approach doesn't allow fine
enough granularity to allow unwanted bits to be left off.  This is
one of the things that Jordan's new sysinstall will address.

>-r-sr-xr-x  5 root  wheel   290448 Dec 14 00:04:32 1999 /usr/bin/hoststat
>-r-sr-xr-x  5 root  wheel   290448 Dec 14 00:04:32 1999 /usr/sbin/purgestat

These are hard-links to /usr/sbin/sendmail.  If you're using sendmail
as an MTA and users can locally submit mail, then it needs to be
globally executable.

>-r-xr-sr-x  1 root      games      6188 Dec 13 23:59:52 1999 /usr/games/dm

The only purpose of `dm' is to allow you to regular game playing.  If
you want to allow anyone to play games at any time, you could drop the
setgid bit, but you'd then have to changes the permissions of (and in)
/usr/games/hide.

>Things like the printer control for example... If you dont have printing
>services, why bother with the control programs.
Which is an install issue - we should have an `lp services' box to
select or ignore.

>  Similarly, I dont think my users need access to vmstat
Probably not, but that depends on what you want to let your users do.

> or any of the backup programs, local or remote.
Agreed.

Peter


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?99Dec17.091851est.40344>