From owner-freebsd-security  Sun Mar 14  2: 8:17 1999
Delivered-To: freebsd-security@freebsd.org
Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10])
	by hub.freebsd.org (Postfix) with ESMTP id 6E6F61503E
	for <freebsd-security@FreeBSD.ORG>; Sun, 14 Mar 1999 02:07:57 -0800 (PST)
	(envelope-from peter.jeremy@auss2.alcatel.com.au)
Received: by border.alcanet.com.au id <40346>; Sun, 14 Mar 1999 19:55:21 +1000
Date: Sun, 14 Mar 1999 20:07:28 +1000
From: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>
Subject: Re: ACL's
To: robert+freebsd@cyrus.watson.org
Cc: freebsd-security@FreeBSD.ORG
Message-Id: <99Mar14.195521est.40346@border.alcanet.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Robert Watson <robert@cyrus.watson.org> wrote:
>BTW, I'd really like to get rid of hard links -- they allow users to
>retain copies of setuid files after the owner thinks they are deleted.

This strikes me as overkill.  Why not just change either rm(1) or
unlink(2) to remove set[gu]id bits on executables?  This would have
the same net effect and the behaviour can probably be justified.

>I.e., user creates a hard link to /usr/sbin/somesetuidbin to
>/usr/tmp/mytemp.

Normal users shouldn't have write permission anywhere on a partition
containing system binaries - this also removes the problem.  (Note
that /usr/tmp is accessible only by root under FreeBSD).

Peter


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message