From owner-freebsd-hackers Tue Jan 16 21: 2:35 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138]) by hub.freebsd.org (Postfix) with ESMTP id 4A4E837B400 for ; Tue, 16 Jan 2001 21:02:19 -0800 (PST) Received: by bazooka.unixfreak.org (Postfix, from userid 1000) id 8D3563E02; Tue, 16 Jan 2001 21:02:18 -0800 (PST) Received: from unixfreak.org (localhost [127.0.0.1]) by bazooka.unixfreak.org (Postfix) with ESMTP id 86B483C10A; Tue, 16 Jan 2001 21:02:18 -0800 (PST) To: "Michael R. Wayne" Cc: hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) In-Reply-To: Message from "Michael R. Wayne" of "Tue, 16 Jan 2001 22:35:10 EST." <200101170335.WAA18537@manor.msen.com> Date: Tue, 16 Jan 2001 21:02:13 -0800 From: Dima Dorfman Message-Id: <20010117050218.8D3563E02@bazooka.unixfreak.org> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > Recommendation: > A number of the executables located in /sbin and /usr/sbin are > never going to be invoked for any legitimate use by anyone other > than the superuser. In particular, servers such as portmap and > inetd run by non-root users are unlikely to do what was intended. > It seems a prudent measure to simply not set execute permission > by "other" on such programs during the install, giving the user > a handy "Permission denied" message when such an attempt is made. Since these files don't run with any extra privileges (i.e., they're not setuid or setgid), nothing stops a user from uploading their own copy and running it. Your proposal doesn't actually improve security; it just annoys the attacker. Whether this is a good thing or a waste of time is a matter of opinion; personally, I'm in the latter boat (i.e., I see no reason to do this). Dima Dorfman dima@unixfreak.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message