From owner-freebsd-security  Thu Jul 12 12:45:26 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by hub.freebsd.org (Postfix) with ESMTP id 0D56F37B401
	for <security@FreeBSD.ORG>; Thu, 12 Jul 2001 12:45:03 -0700 (PDT)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Received: from cactus.fi.uba.ar (cactus.fi.uba.ar [157.92.49.108])
	by cactus.fi.uba.ar (8.11.3/8.9.3) with ESMTP id f6CJh7L20548;
	Thu, 12 Jul 2001 16:43:13 -0300 (ART)
	(envelope-from fgleiser@cactus.fi.uba.ar)
Date: Thu, 12 Jul 2001 16:43:07 -0300 (ART)
From: Fernando Gleiser <fgleiser@cactus.fi.uba.ar>
To: "Portwood, Jason" <JPortwood@strategicit.net>
Cc: "'security@FreeBSD.ORG'" <security@FreeBSD.ORG>
Subject: RE: FreeBSD 4.3 local root PREVENTIONS
In-Reply-To: <6381A6A8826BD31199500090279CAFBA2BD50E@exchange.strategicit.net>
Message-ID: <20010712163504.E20419-100000@cactus.fi.uba.ar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 12 Jul 2001, Portwood, Jason wrote:

> >
> >
> > So simple things like going into all the folders and chmod'n
> > things is a very good idea for a lil extra security.
> >
> > along with copying /bin/sh to /tmp/
> > and chmod 0 /tmp/sh
> >
>
> Wouldn't it be a better practice to just mount all the partitions that don't
> need suid as nosuid?  Just off the top of my head those candidates would
> be

Yes, it is a better practice, but in this case it doesn't help. The suid
binary you are exec(2)ing is in /bin.

bash-2.03$ mount | grep tmp
/dev/ad2s2 on /tmp (ufs, local, nosuid)
				^^^^^^

bash-2.03$ ./a.out
vvfreebsd. Written by Georgi Guninski
shall jump to bfbffe72
child=996
login: # done
# id
uid=0(root) gid=1001(fgleiser) groups=1001(fgleiser)


			Fer

>
> /tmp
> /home
> /var
>
> Is there a good reason for not doing this?
>
> Jason Portwood
> jason@iac.net
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message