Date: Mon, 23 Jun 2003 11:37:49 -0400 (EDT) From: Robert Watson <rwatson@freebsd.org> To: Socketd <db@traceroute.dk> Cc: hackers@freebsd.org Subject: Re: Suid and gid files Message-ID: <Pine.NEB.3.96L.1030623112956.52424D-100000@fledge.watson.org> In-Reply-To: <20030623152341.61b63afc.db@traceroute.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 23 Jun 2003, Socketd wrote: > I just installed FreeBSD 5.1 release and ran a "find / -perm +4000" and > "find / -perm +2000". My question is: are any of these files used by the > system, in a way that prevents me from making them non-executable to the > world? I have no shell users and don't use sendmail. Setuid can be turned off on pretty much all of the binaries; however, as you turn off setuid bits, more and more things will not work for unprivileged users. During normal system operation, privileges are usually "dropped" as opposed to "acquired", so the exceptions are usually for access to raw sockets, system devices, etc. I recently removed the setuid bit from the quota command in -CURRENT, and am in the throes of reviewing the remaining setuid/setgid pieces as part of developing our Security Architecture document. The one potentially problematic case that comes to mind is mail submission by sendmail; mechanisms such as cron, at, etc, expect to be able to generate mail from unprivileged users and that may break if you use sendmail as the MTA but without setuid. There are mail systems that don't require setuid, instead relying on LTMP, which might be preferable in your environment. I also find su very helpful, FWIW :-). > Btw why is /usr/sbin/ppp world readable? (not that is matters) sproing:/usr/sbin> ls -l ppp -r-sr-xr-- 1 root network 367304 May 8 15:16 ppp* Yeah, that is a little inconsistent, although not harmful as far as I can tell. I'll remove the read bit in -CURRENT and we'll see if anyone complains :-). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1030623112956.52424D-100000>