Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 28 Mar 2002 17:43:04 -0800
From:      "Crist J. Clark" <cjc@FreeBSD.ORG>
To:        Jason Stone <jason-fbsd-security@shalott.net>
Cc:        security@FreeBSD.ORG
Subject:   Re: make world and setuid bits
Message-ID:  <20020328174304.L97841@blossom.cjclark.org>
In-Reply-To: <20020328161518.R5333-100000@walter>; from jason-fbsd-security@shalott.net on Thu, Mar 28, 2002 at 04:37:54PM -0800
References:  <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> > > Are there make variables that can be set to prevent "make world" from
> > > installing binaries as setuid?  Currently, I always run something like
> > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this
> > > seems inelegant, prone to human error, and dangerous as there's a
> > > (potentially quite long) period in which there are still many setuid
> > > binaries....
> > >
> > > make options to allow the prevention of "setuid root", "all setuid",
> > > or "all setuid and all setgid" would be nice.
> >
> > For the vast majority of users, having no setuid binaries is a really,
> > really bad idea from a security standpoint. It forces you to do
> > everything as root.
> 
> 1) For server machines that have no non-root interactive users, the
>    "no setuid or setgid at all" option is a very good idea.

Some sites may use this policy, but I would never like it. It requires
direct logins as root.

> 2) Even on machines that do have interactive users, there are many
>    environments where it's possible to turn off most of the setuid root
>    bits - I see no reason to let users on a shared machine run ping or
>    traceroute, rsh/rlogin should never be used at all, I can get away with
>    not providing crontab, most servers don't have printers attached and
>    therefore have no use for lpr, etc.

passwd(1), at(1), crontab(1), login(1), su(1), some or most of those
would be required for almost any multiuser installation.

> So, given that there's decidedly some utility in doing this, is there any
> reason to not do so?

<insert the ususal arguments against rampant featurism here>
<insert the ususal comparison to M$ OS featurism to needlessly incite
emotional responses>

If you can come up with some reasonably non-obtrusive patches to the
build to control this with some make.conf(5) knobs, we can have a look
at the practicallity.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020328174304.L97841>