Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 22 Jan 1996 12:02:50 +0100 (MET)
From:      Luigi Rizzo <luigi@labinfo.iet.unipi.it>
To:        davidg@Root.COM
Cc:        imp@village.org, hackers@FreeBSD.org, dworkin@rover.village.org
Subject:   Re: Security (was: Re: Two commands: icat and ils)
Message-ID:  <199601221102.MAA04840@labinfo.iet.unipi.it>
In-Reply-To: <199601221032.CAA14292@Root.COM> from "David Greenman" at Jan 22, 96 02:32:23 am
next in thread | previous in thread | raw e-mail | index | archive | help 
> >Why ? Security must be enforced with proper protections, not by
> >simply trying to hide information which *is* available. One thing
> >I never liked in FreeBSD:
> >
> >    www# ls -l /sbin/init /sbin/shutdown
> >    -r-x------  1 bin   bin       143360 Nov 16 10:49 /sbin/init
> >    -r-sr-x---  1 root  operator  135168 Nov 16 10:49 /sbin/shutdown
> >
> >as if denying *read* access to these publicly available files would
> >prevent anyone from rebuilding them from the sources or getting a
> >copy from the binary distribution or from the CDROM.
> 
>    That's not the reason they have read permissions removed. It's common for
> people to have /sbin in their path - to pick up useful utilities which
> probably shouldn't be in /sbin anyway (like ifconfig and ping, for example),
> and executing /sbin/init by accident is not a good thing.

Two objections:

1) just make /sbin/init mode 544 then. Actually, shouldn't it work
   even if it has mode 444 ?
2) would it be that hard to fix init so as to quit if its not
   appropriate for it to run (e.g. check process id, another instance
   running, etc.) ? I am asking because I don't know what are the
   implications, but if the consequences are so bad...

You may wonder why I would like to have this changed: it is useful
for those settings where you have diskless system with NFS-mounted
root partition.

	Luigi
====================================================================
Luigi Rizzo                     Dip. di Ingegneria dell'Informazione
email: luigi@iet.unipi.it       Universita' di Pisa
tel: +39-50-568533              via Diotisalvi 2, 56126 PISA (Italy)
fax: +39-50-568522              http://www.iet.unipi.it/~luigi/
====================================================================

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199601221102.MAA04840>