From owner-freebsd-questions Wed Jul 3 15:23:38 1996 Return-Path: owner-questions Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA02009 for questions-outgoing; Wed, 3 Jul 1996 15:23:38 -0700 (PDT) Received: from mistery.mcafee.com (jimd@mistery.mcafee.com [192.187.128.69]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id PAA02004 for ; Wed, 3 Jul 1996 15:23:36 -0700 (PDT) Received: (from jimd@localhost) by mistery.mcafee.com (8.6.11/8.6.9) id PAA24532; Sat, 3 Jul 2010 15:28:56 -0700 From: Jim Dennis Message-Id: <201007032228.PAA24532@mistery.mcafee.com> Subject: Re: src tree owners To: fqueries@jraynard.demon.co.uk (James Raynard) Date: Sat, 3 Jul 110 15:28:56 -0700 (PDT) Cc: tcg@ime.net, dwhite@resnet.uoregon.edu, questions@freebsd.org In-Reply-To: <199607022008.UAA00658@jraynard.demon.co.uk> from "James Raynard" at Jul 2, 96 08:08:03 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > > > > On Unix, the `proper` way is for configuration files to be owned by > > > > root - it's not a good idea to allow just anybody to change them! > > > > > > I Agree! My question was/is about the Source tree! > > I originally wrote "critical files such as source code or > configuration files", then changed my mind and deleted the wrong bit. > Sorry about that :-( > > You might consider simply adding yourself to the 'bin' group > Yep, just edit /etc/group. > > (and setting the SGID bit on the directories). The default > Actually, there's no need to set the SGID bit on the directories, as > BSD systems automatically pass the group ownership on to any new > sub-directories created in the current directory - see mkdir(2). > > > configuration seems to leave the sources g+w and owned by > > root.bin. > > Something that just occurred to me - doesn't some network backup > software require a .rhosts file for the user "bin"? If so, doesn't > this leave the system source code potentially vulnerable? I agree. I was thinking of going in and chown'ing those to root.root or chmod'ing them them to 600. > > > In a multi-user environment you should consider installing > > tripwire and being particularly careful to monitor it for > > source tree changes. Anyone who can get a simply change into > > any source file -- and get 'root' to build it can effectively > > take control of the entire system. (This is true of the system > > binaries as well -- but more insidious). > Very true.