Date: Wed, 2 Jun 1999 11:47:27 +1000 (EST) From: Andrew Kenneth Milton <akm@mail.theinternet.com.au> To: bc@thehub.com.au (Bruce Campbell) Cc: cain@tasam.com, freebsd-security@FreeBSD.ORG Subject: Re: Shell Account system Message-ID: <199906020147.LAA21482@mail.theinternet.com.au> In-Reply-To: <Pine.BSF.3.96.990602111848.22875i-100000@zerlargal.humbug.org.au> from Bruce Campbell at "Jun 2, 1999 11:27:49 am"
next in thread | previous in thread | raw e-mail | index | archive | help
+----[ Bruce Campbell ]--------------------------------------------- | On Tue, 1 Jun 1999, Cain wrote: | | > In addition to tripwire, monitor the existence of all SUID programs, when | > new ones appear make sure you know about it. BTW, ircd is usually SUID, so | > if a user of yours sets that up it's normal. But then how do you know a | > hacker just hasn't named his root shell ircd... so monitor the sizes of | > new SUID programs | | Possibly putting my foot in my mouth here, but *why* would ircd need to be | SUID to anyone? It commonly runs at the high ports (6667) and thus does | not need root for that. | | If you want a specific ircd user to run ircd (either by script or by | respawning from init), I don't see a need for the ircd binary to be SUID | to anyone (executable only be that user yes, SUID no) | | Or am I missing something here? It's normally suid because the conf files are readable only by the 'owner' -- it's also suid to limit the damage you can do, normally you setup an 'irc' account and make it suid that. -- Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 | Milton ACN: 082 081 472 | M:+61 416 022 411 |72 Col .Sig PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|Specialist To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906020147.LAA21482>