Date: Tue, 15 Oct 1996 09:13:31 +0200 (MET DST) From: J Wunsch <j@uriah.heep.sax.de> To: freebsd-hackers@freebsd.org (FreeBSD hackers) Subject: Re: /sbin/init permission Message-ID: <199610150713.JAA11699@uriah.heep.sax.de> In-Reply-To: <199610150611.QAA29647@godzilla.zeta.org.au> from Bruce Evans at "Oct 15, 96 04:11:53 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
As Bruce Evans wrote: > Complete set of standard executables with annoying permissions in > -current: > > -r-x------ 1 bin bin 20480 Oct 2 04:24 /sbin/init > -r-sr-x--- 1 root operator 12288 Oct 2 04:26 /sbin/shutdown This one makes sense: any member of group `operator' is allowed to shutdown the system, but nobody else. > ---s--x--x 2 root bin 286720 Oct 2 04:19 /usr/bin/sperl4.036 > ---s--x--x 2 root bin 286720 Oct 2 04:19 /usr/bin/suidperl Old paranoia. SysV UUCP's used to ship with this set of permissions, too. Basically useless if /usr/src is also on the system. :) > -r-sr-x--- 1 uucp uucp 90112 Oct 2 04:09 /usr/libexec/uucp/uuxqt Seems to make sense. > -r-x------ 1 bin bin 12288 Oct 2 04:42 /usr/sbin/watch > > The missing permissions for `watch' make it unusable by root if /usr > is nfs-mounted without maproot=0. In particular, they suggest that user `bin' were allowed to start watch. Oh well, the source of `watch' is a fine mess... not only that it abuses sgtty instead of termios, it declares main() to return `void' and such. :-( Seems it has been written too late at night. Anyway, the permissions on it are useless, opening the snoop device is already protected by suser() in the kernel, so this should suffice. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610150713.JAA11699>