Date: Fri, 11 Aug 2000 16:06:53 -0400 From: Christopher Masto <chris@netmonger.net> To: Warner Losh <imp@village.org> Cc: John Hay <jhay@icomtek.co.za>, Mark Murray <mark@grondar.za>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <20000811160642.D12290@netmonger.net> In-Reply-To: <200008111948.NAA60882@harmony.village.org>; from imp@village.org on Fri, Aug 11, 2000 at 01:48:08PM -0600 References: <200008111945.e7BJjlj58635@zibbi.mikom.csir.co.za> <200008111948.NAA60882@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 11, 2000 at 01:48:08PM -0600, Warner Losh wrote:
> Yes. That's what convinced me that we want to update their suidperl,
> but set it to mode 0.
There is precedent:
SuSE distributions are not susceptible to this problem because
/usr/bin/suidperl is mode 755 (not suid) by default. Administrators
must explicitly have enabled suidperl by changing the permission modes
of the interpreter to 4755 root.root (suid root) for the exploit
mechanism to work.
In SuSE-Linux, activating suidperl is done by changing one of the
files /etc/permissions.(easy|secure) and running SuSEconfig or
`chkstat -set /etc/permissions.(easy|secure)', alternatively,
depending on the setting of PERMISSION_SECURITY in /etc/rc.config.
If SuSEconfig is turned off completely, the administrator of the
system is obliged to change the permission modes by hand.
The decision to not activate suidperl has been made because
security problems were expected in the wild.
It seems like a reasonable idea.
--
Christopher Masto Senior Network Monkey NetMonger Communications
chris@netmonger.net info@netmonger.net http://www.netmonger.net
Free yourself, free your machine, free the daemon -- http://www.freebsd.org/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000811160642.D12290>