Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 1996 12:39:50 -0500 (CDT)
From:      Joe Greco <jgreco@brasil.moneng.mei.com>
To:        bde@zeta.org.au (Bruce Evans)
Cc:        bde@zeta.org.au, luigi@labinfo.iet.unipi.it, freebsd-hackers@FreeBSD.ORG, j@uriah.heep.sax.de
Subject:   Re: /sbin/init permission
Message-ID:  <199610151739.MAA26177@brasil.moneng.mei.com>
In-Reply-To: <199610151536.BAA14817@godzilla.zeta.org.au> from "Bruce Evans" at Oct 16, 96 01:36:34 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> >> Complete set of standard executables with annoying permissions in
> >> -current:
> >> 
> >> -r-x------  1 bin   bin        20480 Oct  2 04:24 /sbin/init
> >> -r-sr-x---  1 root  operator   12288 Oct  2 04:26 /sbin/shutdown
> >> ---s--x--x  2 root  bin       286720 Oct  2 04:19 /usr/bin/sperl4.036
> >> ---s--x--x  2 root  bin       286720 Oct  2 04:19 /usr/bin/suidperl
> >> -r-sr-x---  1 uucp  uucp       90112 Oct  2 04:09 /usr/libexec/uucp/uuxqt
> >> -r-x------  1 bin   bin        12288 Oct  2 04:42 /usr/sbin/watch
> >...
> >for suid applications there is a reason for being restrictive. For
> 
> I think security by obscurity is the only reason.  This doesn't apply
> to free software.

Respectfully, I do not think that this is true.

I am in favor of "raising the bar" that potential invaders have to jump
over whenever I can.  This includes little things and big things.

Little things can include applying patches for problems suggested in
CERT advisories and then editing the modification times on the files to
be the same as they were before.

Big things can include setting up roadblocks by editing key utilities
to function a little differently.  I know someone who modified "su" to
always fail when su'ing to a wheel group account (including root) ..
this was sorta clever IMHO.  (and the original copy is buried someplace 
dark and deep).

BSD is nice in that it always rounds to 4K so size changes are less
obvious..  but I would rather see utilities that people have no business
needing to read being unreadable.

I understand the NFS argument but generally discount it as baloney..
if it is truly a problem, set up NFS differently.

... JG

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610151739.MAA26177>