From owner-freebsd-security Thu Mar 28 17:43:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id 27E8F37B41B for ; Thu, 28 Mar 2002 17:43:08 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020329014307.ZZQX2626.rwcrmhc51.attbi.com@blossom.cjclark.org>; Fri, 29 Mar 2002 01:43:07 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g2T1h5r26741; Thu, 28 Mar 2002 17:43:05 -0800 (PST) (envelope-from cjc) Date: Thu, 28 Mar 2002 17:43:04 -0800 From: "Crist J. Clark" To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: make world and setuid bits Message-ID: <20020328174304.L97841@blossom.cjclark.org> References: <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020328161518.R5333-100000@walter>; from jason-fbsd-security@shalott.net on Thu, Mar 28, 2002 at 04:37:54PM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > Are there make variables that can be set to prevent "make world" from > > > installing binaries as setuid? Currently, I always run something like > > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this > > > seems inelegant, prone to human error, and dangerous as there's a > > > (potentially quite long) period in which there are still many setuid > > > binaries.... > > > > > > make options to allow the prevention of "setuid root", "all setuid", > > > or "all setuid and all setgid" would be nice. > > > > For the vast majority of users, having no setuid binaries is a really, > > really bad idea from a security standpoint. It forces you to do > > everything as root. > > 1) For server machines that have no non-root interactive users, the > "no setuid or setgid at all" option is a very good idea. Some sites may use this policy, but I would never like it. It requires direct logins as root. > 2) Even on machines that do have interactive users, there are many > environments where it's possible to turn off most of the setuid root > bits - I see no reason to let users on a shared machine run ping or > traceroute, rsh/rlogin should never be used at all, I can get away with > not providing crontab, most servers don't have printers attached and > therefore have no use for lpr, etc. passwd(1), at(1), crontab(1), login(1), su(1), some or most of those would be required for almost any multiuser installation. > So, given that there's decidedly some utility in doing this, is there any > reason to not do so? If you can come up with some reasonably non-obtrusive patches to the build to control this with some make.conf(5) knobs, we can have a look at the practicallity. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message