From owner-freebsd-security Tue Jun 1 18:28:58 1999 Delivered-To: freebsd-security@freebsd.org Received: from zerlargal.humbug.org.au (zerlargal.humbug.org.au [203.143.240.7]) by hub.freebsd.org (Postfix) with ESMTP id C335714DBD for ; Tue, 1 Jun 1999 18:28:54 -0700 (PDT) (envelope-from bc@thehub.com.au) Received: from localhost ([127.0.0.1] helo=zerlargal.humbug.org.au) by zerlargal.humbug.org.au with smtp (Exim 2.05 #3) id 10ozos-0003B5-00; Wed, 2 Jun 1999 11:27:50 +1000 Date: Wed, 2 Jun 1999 11:27:49 +1000 (EST) From: Bruce Campbell X-Sender: bc@zerlargal.humbug.org.au To: Cain Cc: freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 1 Jun 1999, Cain wrote: > In addition to tripwire, monitor the existence of all SUID programs, when > new ones appear make sure you know about it. BTW, ircd is usually SUID, so > if a user of yours sets that up it's normal. But then how do you know a > hacker just hasn't named his root shell ircd... so monitor the sizes of > new SUID programs Possibly putting my foot in my mouth here, but *why* would ircd need to be SUID to anyone? It commonly runs at the high ports (6667) and thus does not need root for that. If you want a specific ircd user to run ircd (either by script or by respawning from init), I don't see a need for the ircd binary to be SUID to anyone (executable only be that user yes, SUID no) Or am I missing something here? --==-- Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message