Date: Sun, 19 Apr 1998 14:23:36 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Marc Slemko <marcs@znep.com> Cc: Niall Smart <rotel@indigo.ie>, freebsd-security@FreeBSD.ORG Subject: Re: suid/sgid programs Message-ID: <Pine.BSF.3.96.980419141611.18223C-100000@trojanhorse.pr.watson.org> In-Reply-To: <Pine.BSF.3.95.980419094941.16057k-100000@alive.znep.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 19 Apr 1998, Marc Slemko wrote: > Erm... that is an extremely poor policy. Figuring out what needs to be > setuid or setgid to what isn't trivial. I'm not sure what you are trying > to save here. What is the real issue if someone compromises the user or > group uucp? I guess that uucico, which is setgid to dialer, gives them > something. If they compromise the uucp uid then they can mess with the > uuucp binaries which someone may try to run sometime for some reason, but > I really don't see how it is enough to warrant shipping broken programs. There are two issues here, I think: 1) Reduce suid root programs to limit the ability to gain system administration abilities 2) Reduce the ability of a compromise of any account from spreading A compromisable binary allows user x to execute code as user y. Since the UNIX security model is protection along user boundaries, this is a problem. Auditing (where done at all) us usually done by a combination of uid and pid. If I don't run UUCP, there's no reason that users aware of a bug should be able to execute code as any account except for their own. I know -- fix the suid program. But we have to deal with the reality that bugs are constantly found in suid programs. Just look at the OpenBSD cvs log :). One answer is to reduce the suid code base. Additionally, and this is a minor point -- for a program to be suid to some account, it must be owned by that account user. However, it also exists in the standard path of all of the users (/usr/bin is in the path of most people I know :). I'd much rather have all the files in the standard executable path only be owned by bin.bin or root.wheel or whatever. The majority are, of course, but the UUCP ones definitely aren't. This is clearly not as bad as having '.' in your path, but it is not great. Also -- a quick fun note. Always chmod u-s a buggy program before rm'ing it. You never know what hard links are lying around :). Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980419141611.18223C-100000>