Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 1996 12:23:16 -0500 (CDT)
From:      Joe Greco <jgreco@brasil.moneng.mei.com>
To:        bde@zeta.org.au (Bruce Evans)
Cc:        freebsd-hackers@freebsd.org, j@uriah.heep.sax.de
Subject:   Re: /sbin/init permission
Message-ID:  <199610151723.MAA26147@brasil.moneng.mei.com>
In-Reply-To: <199610151527.BAA14633@godzilla.zeta.org.au> from "Bruce Evans" at Oct 16, 96 01:27:29 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> >> -r-sr-x---  1 root  operator   12288 Oct  2 04:26 /sbin/shutdown
> >
> >This one makes sense: any member of group `operator' is allowed to
> >shutdown the system, but nobody else.
> 
> It makes no sense for it to be unreadable.

It makes no sense for it to be readable but not executable, I think.

> >> ---s--x--x  2 root  bin       286720 Oct  2 04:19 /usr/bin/sperl4.036
> >> ---s--x--x  2 root  bin       286720 Oct  2 04:19 /usr/bin/suidperl
> >
> >Old paranoia.  SysV UUCP's used to ship with this set of permissions,
> >too.  Basically useless if /usr/src is also on the system. :)
> 
> Really if the user can files and execute chmod.
> 
> >> -r-sr-x---  1 uucp  uucp       90112 Oct  2 04:09 /usr/libexec/uucp/uuxqt
> >
> >Seems to make sense.
> 
> It makes no sense for it to be unreadable, and its nonreadability and
> nonexecutability by `other' breaks the usability of an nfs-mounted /usr
> (for the rare case that root wants to run this directly).  (If it were
> only readable, then root could copy it and run the copy.)

PLEASE DO NOT MAKE THIS EXECUTABLE BY 'other'.  It is very possible to 
bring a system to its knees if there is even a moderate amount of UUCP 
work by doing

while true; do
	/usr/libexec/uucp/uuxqt&
done

You probably do not want to run uuxqt if you have a NFS mounted /usr because
you probably have a NFS mounted /var and Taylor himself says not to run
UUCP on a NFS mounted partition due to locking problems.  

If you REALLY want to do this, you can either change the permissions 
or create a UUCP administrative account that root can su to.  Works fine.

But dropping everyone elses pants to achieve this goal is not cool.

... JG

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151723.MAA26147>