Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Aug 2000 14:17:40 -0700 (PDT)
From:      dima@rdy.com (Dima Ruban)
To:        Neil Blakey-Milner <nbm@mithrandr.moria.org>
Cc:        Dima Ruban <dima@rdy.com>, Peter Wemm <peter@netplex.com.au>, Christopher Masto <chris@netmonger.net>, "Chris D. Faulhaber" <jedgar@fxp.org>, Warner Losh <imp@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/gnu/usr.bin/perl Makefile
Message-ID:  <200008112117.OAA19352@sivka.rdy.com>
In-Reply-To: <20000811230910.A58926@mithrandr.moria.org> "from Neil Blakey-Milner at Aug 11, 2000 11:09:10 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
Neil Blakey-Milner writes:
> On Fri 2000-08-11 (14:02), Dima Ruban wrote:
> > > > How do you see that resulting in _more_ security holes?
> > > > If /usr/bin/suidperl doesn't exist and some program referes to it, it will
> > > > give you "command not found" (or similar) message.
> > > 
> > > Because people start writing setuid "#! /bin/suidsh -p" scripts instead.
> > > And that is outright suicidal as it is guaranteed exploitable.  It is also
> > > the very reason that suidperl exists.
> > 
> > Following that logic people will nuke /usr/bin/su and replace it with suid to
> > root shell. People don't do it. They aren't _that_ stupid.
> 
> If you didn't provide su, they would.  That's the point.

No, I've meant that nuking su, copying sh and making it suid to root would be
much easier than to do the right thing and remember root's password.
We aren't removing suidperl completely. It's just not in the default
installation. All you need to do is to reenable it.

> 
> Neil
> -- 
> Neil Blakey-Milner
> Sunesi Clinical Systems
> nbm@mithrandr.moria.org
> 

-- dima


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008112117.OAA19352>