From owner-freebsd-security Sun Jan 28 23:00:40 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id XAA09455 for security-outgoing; Sun, 28 Jan 1996 23:00:40 -0800 (PST) Received: from statler.csc.calpoly.edu (statler-srv.csc.calpoly.edu [129.65.241.4]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id XAA09449 for ; Sun, 28 Jan 1996 23:00:37 -0800 (PST) Received: (from nlawson@localhost) by statler.csc.calpoly.edu (8.6.12/N8) id XAA04062; Sun, 28 Jan 1996 23:00:32 -0800 From: Nathan Lawson Message-Id: <199601290700.XAA04062@statler.csc.calpoly.edu> Subject: Re: Ownership of files/tcp_wrappers port To: wam@fedex.com (William McVey) Date: Sun, 28 Jan 1996 23:00:32 -0800 (PST) Cc: security@freebsd.org In-Reply-To: <199601261956.AA03214@gateway.fedex.com> from "William McVey" at Jan 26, 96 01:58:36 pm X-Mailer: ELM [version 2.4 PL23] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org Precedence: bulk > Paul Richards wrote: > >guys, these are NFS problems. If you want to stop people su'ing to bin > >then map bin to nobody as well. > > I am at a lost as to why we'd want to build band-aids to gloss over > a problem, rather than the problem itself. It has been mentioned > before that UNIX was designed to have a single well protected > administrative id (root). Why would we want multiple accounts that > now need to have an equivalent amount of protection? You suggest > that we should fix the NFS to treat 'bin' special as well as root. One small problem here that no one has mentioned uet: NFS works by uid, not by account name. Therefore, we'd have to remap uid 1 (bin on most systems), uid 3, (bin on SunOS) or who knows how many other uids? Once you find yourself doing that, you might as well write your own Unix. Let's fix the cause, not patch the symptoms. -Nate