From owner-freebsd-security  Tue Oct  1 11:06:59 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA06384
          for security-outgoing; Tue, 1 Oct 1996 11:06:59 -0700 (PDT)
Received: from alpha.xerox.com (alpha.Xerox.COM [13.1.64.93])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id LAA06376
          for <freebsd-security@freebsd.org>; Tue, 1 Oct 1996 11:06:54 -0700 (PDT)
Received: from crevenia.parc.xerox.com ([13.2.116.11]) by alpha.xerox.com with SMTP id <15717(6)>; Tue, 1 Oct 1996 11:06:13 PDT
Received: from localhost ([127.0.0.1]) by crevenia.parc.xerox.com with SMTP id <177476>; Tue, 1 Oct 1996 11:05:11 -0700
X-Mailer: exmh version 1.6.7 5/3/96
To: Marc Slemko <marcs@znep.com>
cc: freebsd-security@freebsd.org
Subject: Re: setuid programs in freebsd 
In-reply-to: Your message of "Sun, 29 Sep 1996 20:55:48 PDT."
             <Pine.BSF.3.95.960929214259.16956L-100000@alive.ampr.ab.ca> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 1 Oct 1996 11:05:03 PDT
From: Bill Fenner <fenner@parc.xerox.com>
Message-Id: <96Oct1.110511pdt.177476@crevenia.parc.xerox.com>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

Marc,

  There are certain programs that have been modified to do the minimum 
required tasks before releasing their setuid-ness, e.g. ping and traceroute 
basically do

main()
{
	s = socket();
	setuid(getuid());

I've been meaning to do the same to mrinfo & mtrace for quite a long time.  
Perhaps these could be specially labelled in your document?

>   119   32 -r-sr-xr-x    1 root     bin         16384 Jul 16 20:34 ./usr/sbin
>  /traceroute
>
>COMMENTS: There have been some recent security fixes in traceroute, but
>I am uncertain as to if they fix exploitable holes.  *** 

Yes, the holes are exploitable if you control the DNS of a host that you can 
traceroute through.

>COMMENTS: ping is a very useful thing for users, although there are possible
>denial of service attacks possible, especially with the '-l' option.  There
>have been some potential security holes fixed after 2.1.5 was released,
>but it appears like none of them are exploitable.  Perhaps.

I agree, the setuid(getuid()) in ping was basically belt-and-suspenders kind 
of fix.

  Bill