Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Feb 1997 12:38:23 -0800
From:      jehamby@lightside.com (Jake Hamby)
To:        abelits@phobos.illtel.denver.co.us, angio@aros.net
Cc:        hackers@freebsd.org, auditors@freebsd.org
Subject:   Re: disallow setuid root shells?
Message-ID:  <199702242038.MAA00577@lightside.com>
next in thread | raw e-mail | index | archive | help 
[auditors added back to CC: list]

> >   IMHO adding "anti-setuid" code into shell will help, but that help won't
> > worth the effort of typing "setuid(getuid());" and recompiling the shell
> > -- it only makes one more step required to get the same result unless the
> > system is stripped down until becoming completely useless (but stripped
> > down until becoming completely useless system isn't vulnerable to most of
> > known security bugs anyway).
> 
>    I disagree.  It's a small thing, and very easy to get around, but
> it would help reduce the number of breakins by people who don't 
> understand what they're doing aside from running this program-thingy
> that someone gave them.
> 
>    I freely admit that most of these people will be using widely 
> published exploit code, and that almost any vigilant sysadmin won't
> be vulnerable to them -- but not everybody is anal about keeping their
> computer up to date and secure.  Forgive me for sounding political,
> but if even one or two computers are prevented from having a root
> compromise by this, it seems worthwhile - especially since nobody
> can think of anything it would actually hurt.

My sentiments exactly!  I would think that if there was a valid reason for 
setuid root shells, then a commercial OS like Solaris would probably allow them 
(since paying customers often would rather have functionality than security!).

While of course this will only protect against the lamest of system crackers, 
there really is no compelling reason NOT to do it, and if only one or two 
computers are saved by this, it's worthwhile (hmm, that seems to be exactly what 
you said, isn't it :)

-- Jake

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199702242038.MAA00577>