Date: Tue, 4 Nov 1997 16:27:40 -0700 (MST) From: Brandon Gillespie <brandon@roguetrader.com> To: Tom <tom@sdf.com> Cc: James Raynard <fhackers@jraynard.demon.co.uk>, freebsd-hackers@FreeBSD.ORG Subject: Re: Suggested addition to /etc/security Message-ID: <Pine.BSF.3.96.971104162113.1281B-100000@roguetrader.com> In-Reply-To: <Pine.BSF.3.95q.971101164134.15022I-100000@misery.sdf.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Nov 1997, Tom wrote: > On Thu, 30 Oct 1997, James Raynard wrote: > > > > echo "checking for invalid user or group ids:" > > > > > > find / -nouser -nogroup > > How does this check improve security? It depends upon how your system is setup. If _ALL_ of the files a user will ever use are contained within their home directory, then this check does nothing. However, many systems (myself included, which is what made me think of it) don't do this. I have several projects running on my server, and people own files througout several different filesystems. If I remove a user--these files are still owned by them. This in itself isn't a problem, until you consider that the add user programs (those I've checked, ''pw'' included) default to reusing user ids! (this should also be changed--its not like we dont have enough of a range for the general case). So if I nix somebody, then a week later add another user which gets the old guy's uid--he also gets all the files and programs of the old guy. While in general this isn't a big security issue, its still a problem (could be a very BIG problem on some systems). Consider a server where (for whatever reason) a private file was stored in a location other than the user's home directory. Because of the situation as explained above, another user is then assigned their uid. They then have access to these files and YOU are suddenly liable for it (sure, this scenario isn't bullet proof, but it does demonstrate the concerns). -Brandon Gillespie
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971104162113.1281B-100000>