Date: Tue, 23 Apr 2002 15:37:04 -0700 (PDT) From: Jason Stone <jason@shalott.net> To: Chuck Rock <carock@epctech.com> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Message-ID: <20020423144648.G76242-100000@walter> In-Reply-To: <Pine.BSF.4.21.0204230759250.76024-100000@kira.epconline.net>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I see see this a lot. Why if the answer is always "all of them" isn't > FreeBSD distributed, and patched, and whatever so this is already > true. > > I can't believe that FreeBSD would allow their system to have these > suid bits set if they weren't supposed to be that way. If a program has the setuid bit turned on, it will run as the user who owns the program rather than the user who's running it. In general, this is a bad idea because fundamentally, users should not be able to run code as other users. However, there are some programs which must run as root for either all or part of their functionality and are therefore setuid. However, if you either don't need that program at all, or don't need the functionality that requires root priveleges, you can remove the setuid bit to increase system security. For example, lpr is setuid root so that it can write your print job into the queue. Servers, though, usually don't have printers attached, and therefore have no need of lpr, so the setuid bit can be removed. screen is setuid root so that it can create utmp login records for each window it opens up - this functionality is not necesary for the rest of screen's proper operation, so the setuid bit can be removed. None of my users use opie/skey, so I removed the setuid bit from keyinit from all my machines - so I'm much less worried about this vulnerability (though of course I still upgrade everything). So while each setuid program has a reason for being setuid, that doesn't mean that any given box needs each to be setuid. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8xeIQswXMWWtptckRArOyAJ97z/CIsMHkVk8MaTlJgZu4NoIE1gCg0lrJ nKzH+kP08t9byO3KBRqXSMA= =e0Fr -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020423144648.G76242-100000>