From owner-freebsd-hackers Wed Jan 17 3:25: 4 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from peach.ocn.ne.jp (peach.ocn.ne.jp [210.145.254.87]) by hub.freebsd.org (Postfix) with ESMTP id 53E1237B400 for ; Wed, 17 Jan 2001 03:24:47 -0800 (PST) Received: from newsguy.com (p27-dn02kiryunisiki.gunma.ocn.ne.jp [211.0.245.92]) by peach.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id UAA29822; Wed, 17 Jan 2001 20:24:38 +0900 (JST) Message-ID: <3A657FB8.A70C0A2D@newsguy.com> Date: Wed, 17 Jan 2001 20:19:20 +0900 From: "Daniel C. Sobral" X-Mailer: Mozilla 4.7 [en] (Win98; I) X-Accept-Language: en,pt-BR MIME-Version: 1.0 To: "Michael R. Wayne" Cc: hackers@FreeBSD.ORG Subject: Re: Protections on inetd (and /sbin/* /usr/sbin/* in general) References: <200101170335.WAA18537@manor.msen.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Michael R. Wayne" wrote: > > Recommendation: > A number of the executables located in /sbin and /usr/sbin are > never going to be invoked for any legitimate use by anyone other > than the superuser. In particular, servers such as portmap and > inetd run by non-root users are unlikely to do what was intended. > It seems a prudent measure to simply not set execute permission > by "other" on such programs during the install, giving the user > a handy "Permission denied" message when such an attempt is made. > > For those reading quickly, I am NOT recommending removing execute > permission on ALL of /sbin/* and /usr/sbin/*, only on programs > such as "portmap", "inetd", "lpd", "syslogd", "halt", "reboot" > and others which perform no useful function to normal users. > /sbin/init already enforces this condition, how about expanding it? Setup jail instead. -- Daniel C. Sobral (8-DCS) dcs@newsguy.com dcs@freebsd.org capo@a.crazy.bsdconspiracy.net "There is no spoon." -- Kiki To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message