From owner-freebsd-security  Wed Aug 11 14:53: 7 1999
Delivered-To: freebsd-security@freebsd.org
Received: from univ.uniyar.ac.ru (univ.uniyar.ac.ru [193.233.51.120])
	by hub.freebsd.org (Postfix) with ESMTP id E0ECE152CA
	for <freebsd-security@freebsd.org>; Wed, 11 Aug 1999 14:45:22 -0700 (PDT)
	(envelope-from lae@univ.uniyar.ac.ru)
Received: (from lae@localhost)
	by univ.uniyar.ac.ru (8.9.1/8.9.1) id BAA10432;
	Thu, 12 Aug 1999 01:09:34 +0400 (MSD)
Date: Thu, 12 Aug 1999 01:09:33 +0400
From: "Andrey E. Lerman" <lae@uniyar.ac.ru>
To: Mike Hoskins <mike@snafu.adept.org>
Cc: freebsd-security@freebsd.org
Subject: Re: info on suid/sgid files
Message-ID: <19990812010933.A6691@univ.uniyar.ac.ru>
References: <19990811043211.X16510@uniyar.ac.ru> <Pine.BSF.4.10.9908110114490.71398-100000@snafu.adept.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
User-Agent: Mutt/0.96.3i
In-Reply-To: <Pine.BSF.4.10.9908110114490.71398-100000@snafu.adept.org>; from Mike Hoskins on Wed, Aug 11, 1999 at 01:40:00AM -0700
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Aug 11, 1999 at 01:40:00AM -0700, Mike Hoskins wrote:
> On Wed, 11 Aug 1999, Andrey E. Lerman wrote:
>
> > It would be nice if info about need of increased privileges
> > needed for given program would be clearly stated in manpage.
>
> I'm not sure how much info is needed about increased privileges...
> There's a lot of writeups (CERT's security checklist and an article I did
> for the FreeBSD 'Zine to name a couple) that already say 'If you don't
> need it ... turn it off'.  Beyond saying that, I'd hope the admin could...
>
>  Type: find / \( -perm -2000 -o -perm -4000 \) -print > audit.log
>        more audit.log

Actually, this is done every day in cron job.

>
> Think: 'I only need foo, I'll chmod the others appropriately.'
>
> Man pages generally do mention files they need/use...  From which you can
> decide which users or groups need access to what files for a system to
> function appropriately.

I just want to know "what will change if I turn that bit off".
I saw references to files, but, say, manpage for ps mentiones
/dev/kmem, /kernel, etc. but it isn't clear what it will use
that files/devices for. I killed suid on ps and it continues
working for me. I haven't tested it fully though.

Sometimes I don't have the machine to experiment on. I will
have problems if I screw something up which will be fatal to
users' operation (such as users will not be able to do their
job). In my case situation is better as I don't really have
many shell accounts on that machine.

--
Andrey E. Lerman @ Yaroslavl State University
ICQ: 9418370, primary email: lae@uniyar.ac.ru
[Lae] on IRCNet


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message