Date: Mon, 14 Oct 1996 21:23:42 +0100 (MET) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: j@uriah.heep.sax.de (J Wunsch) Cc: freebsd-hackers@FreeBSD.org Subject: Re: /sbin/init permission Message-ID: <199610142023.VAA14230@labinfo.iet.unipi.it> In-Reply-To: <199610141634.SAA06356@uriah.heep.sax.de> from "J Wunsch" at Oct 14, 96 06:34:18 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> As Luigi Rizzo wrote: > > > > I'm not even sure whether this is a bug in NFS or not. If the file is > > > executable, this should probably suffice. OTOH, i think with the > > > > Don't think it' s a bug. The problem is that /sbin/init is accessed > > with root ID, and without root=0 the ID is mapped to nobody and > > access is denied. > > Execute permission should suffice to have it executed. Try modifying > several binaries to mode 0111, and your NFS clients will die horribly > if you wanna execute them. I was confused, I thought /sbin/init was treated specially, whereas it's /kernel which does not need 'x' permissions. Sorry for the mistake. One observation, though. If you are root, and you are able to execute a file, that means that you can also read it. So, the only way to deny read permissions to a 'root' user is to deny execute as well. To every user of course. So I would not call the above a bug, just a security feature. Maybe things work with mode 0511. This problem does not exist with local filesystems since 'root' can do everything locally, no matter what permissions are. Does that sound reasonable ? And, back to the original question: any objection in changing /sbin/init permissions to 0555 ? Thanks Luigi ==================================================================== Luigi Rizzo Dip. di Ingegneria dell'Informazione email: luigi@iet.unipi.it Universita' di Pisa tel: +39-50-568533 via Diotisalvi 2, 56126 PISA (Italy) fax: +39-50-568522 http://www.iet.unipi.it/~luigi/ ====================================================================
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610142023.VAA14230>