Date: Wed, 17 Jan 2001 20:19:20 +0900 From: "Daniel C. Sobral" <dcs@newsguy.com> To: "Michael R. Wayne" <wayne@staff.msen.com> Cc: hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) Message-ID: <3A657FB8.A70C0A2D@newsguy.com> References: <200101170335.WAA18537@manor.msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Michael R. Wayne" wrote: > > Recommendation: > A number of the executables located in /sbin and /usr/sbin are > never going to be invoked for any legitimate use by anyone other > than the superuser. In particular, servers such as portmap and > inetd run by non-root users are unlikely to do what was intended. > It seems a prudent measure to simply not set execute permission > by "other" on such programs during the install, giving the user > a handy "Permission denied" message when such an attempt is made. > > For those reading quickly, I am NOT recommending removing execute > permission on ALL of /sbin/* and /usr/sbin/*, only on programs > such as "portmap", "inetd", "lpd", "syslogd", "halt", "reboot" > and others which perform no useful function to normal users. > /sbin/init already enforces this condition, how about expanding it? Setup jail instead. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org capo@a.crazy.bsdconspiracy.net "There is no spoon." -- Kiki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A657FB8.A70C0A2D>