From owner-freebsd-security Tue Jul 29 18:10:37 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id SAA26375 for security-outgoing; Tue, 29 Jul 1997 18:10:37 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA26360 for ; Tue, 29 Jul 1997 18:10:30 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id VAA16708; Tue, 29 Jul 1997 21:06:39 -0400 (EDT) From: Adam Shostack Message-Id: <199707300106.VAA16708@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: from "Jay D. Nelson" at "Jul 29, 97 07:29:49 pm" To: jdn@qiv.com (Jay D. Nelson) Date: Tue, 29 Jul 1997 21:06:39 -0400 (EDT) Cc: adam@homeport.org, robert+freebsd@cyrus.watson.org, vince@mail.MCESTATE.COM, security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Let me be clear; I don't have anything against UUCP users, but most people don't need it turned on. Since its parts of it are setuid, (and thus potential security holes) I think its a reasonable to suggest that it ship either not setuid or as an install option. Yes idiots will hurt themselves. Should we try to make FreeBSD reasonably secure? I think so. I think a good metric to use is don't install uncommon services by default, require some action to turn them on. Adam Jay D. Nelson wrote: | Sorry -- I guess I'm old fart hold outs. I use uucp and many of my clients | use uucp. From what I see, UUCP use is growing even though these machines | never show up in the maps. I think uucp will grow even more. | | Perhaps the best approach, if you really want to take it out of the | standard distribution, is to make it an option at install time. Those that | don't know what it is won't install it anyway. | | Idiots will blow their feet of no matter how hard you try to protect them. | All you will accomplish, if you take it out of the distribution, is | force the idiots to use rm * instead and force me to go to MIT to get | and install UUCP. | | -- Jay | | On Tue, 29 Jul 1997, Adam Shostack wrote: | | ->Robert Watson wrote: | ->| On Mon, 28 Jul 1997, Adam Shostack wrote: | ->| | ->| > Vincent Poy wrote: | ->| > | ->| > su really should be setuid. Everything else is debatable. My | ->| > advice is to turn off all setuid bits except those you know you need | ->| > (possibly w, who, ps, ping, at, passwd) | -> | ->| Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc) | ->| require root access to delivery to local mailboxes; crontab related stuff, | ->| terminal locking, some kerberos commands, local XWindows servers, and su | ->| all rely on suid. | -> | ->I know no one who still runs uucp. There are a few holdouts, but most | ->systems can leave uucp off with no pain. Ditto with kerberos. :) -- "It is seldom that liberty of any kind is lost all at once." -Hume