From owner-freebsd-security  Thu Dec 16 15: 6:27 1999
Delivered-To: freebsd-security@freebsd.org
Received: from shadows.aeon.net (shadows.aeon.net [195.197.32.30])
	by hub.freebsd.org (Postfix) with ESMTP id C55AE15663
	for <freebsd-security@FreeBSD.ORG>; Thu, 16 Dec 1999 15:06:06 -0800 (PST)
	(envelope-from bsdsec@shadows.aeon.net)
Received: (from bsdsec@localhost)
          by shadows.aeon.net (8.9.3/8.8.3) id BAA15160;
          Fri, 17 Dec 1999 01:06:17 +0200 (EET)
From: mika ruohotie <bsdsec@shadows.aeon.net>
Message-Id: <199912162306.BAA15160@shadows.aeon.net>
Subject: Re: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) )
In-Reply-To: <99Dec17.091851est.40344@border.alcanet.com.au> from Peter Jeremy at "Dec 17, 1999 09:27:18 am"
To: peter.jeremy@alcatel.com.au (Peter Jeremy)
Date: Fri, 17 Dec 1999 01:06:17 +0200 (EET)
Cc: mike@sentex.net (Mike Tancsa), freebsd-security@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> >Even the main tree seems a big permissive for some applications (in my
> >case, an ISP).
> Much of this is really that our install approach doesn't allow fine

[snip]

> >  Similarly, I dont think my users need access to vmstat
> Probably not, but that depends on what you want to let your users do.

exactly.

i think it's not a good idea to make the default installation much too
restrictive. if one is about to use freebsd (or any other unix) as a
shell server, they have to harden the box anyway. and about everyone i
know in the "business", like to do things slightly different.

the default installation should leave the machine still _usable_
without assuming the user wishes to abuse root for everything.

personally, i much rather hang around as user, and i _do_ use things
like vmstat _lots_ in my boxen. all of which only allow _very_ limited
access _into_ the machine.

sure, all kinds of installation options sound nice, but they might
be too hard to implement, specially since the audience for which
they'd be, prefer mainly do things _themselves_ without click&drool
gimmics.

and i know things that i've just said have been repeated all over
this list, and other lists.

> Peter


mickey
-- 
company: SAUNALAHDEN SERVERI           >>>^<<<       Network Development
email: mika.ruohotie@saunalahti.fi       /?\         System Administrator
www: www.saunalahti.fi                   | |         
.??.??????.????.??.??????.????.?????.??.oOOOo.??.?????.??.?????.??.????.??.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message