From owner-freebsd-security Thu Dec 16 14:27:48 1999 Delivered-To: freebsd-security@freebsd.org Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 4B3DF156E4 for ; Thu, 16 Dec 1999 14:27:38 -0800 (PST) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40344>; Fri, 17 Dec 1999 09:18:51 +1100 Content-return: prohibited Date: Fri, 17 Dec 1999 09:27:18 +1100 From: Peter Jeremy Subject: Re: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) ) In-reply-to: <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca>; from mike@sentex.net on Fri, Dec 17, 1999 at 06:30:31AM +1100 To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Message-Id: <99Dec17.091851est.40344@border.alcanet.com.au> MIME-version: 1.0 X-Mailer: Mutt 1.0i Content-type: text/plain; charset=us-ascii References: <14425.12035.757889.422296@anarcat.dyndns.org> <199912160615.XAA69151@harmony.village.org> <199912161828.LAA72864@harmony.village.org> <14425.12637.308602.637788@anarcat.dyndns.org> <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 1999-Dec-17 06:30:31 +1100, Mike Tancsa wrote: >Even the main tree seems a big permissive for some applications (in my >case, an ISP). Much of this is really that our install approach doesn't allow fine enough granularity to allow unwanted bits to be left off. This is one of the things that Jordan's new sysinstall will address. >-r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999 /usr/bin/hoststat >-r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999 /usr/sbin/purgestat These are hard-links to /usr/sbin/sendmail. If you're using sendmail as an MTA and users can locally submit mail, then it needs to be globally executable. >-r-xr-sr-x 1 root games 6188 Dec 13 23:59:52 1999 /usr/games/dm The only purpose of `dm' is to allow you to regular game playing. If you want to allow anyone to play games at any time, you could drop the setgid bit, but you'd then have to changes the permissions of (and in) /usr/games/hide. >Things like the printer control for example... If you dont have printing >services, why bother with the control programs. Which is an install issue - we should have an `lp services' box to select or ignore. > Similarly, I dont think my users need access to vmstat Probably not, but that depends on what you want to let your users do. > or any of the backup programs, local or remote. Agreed. Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message