From owner-cvs-all  Fri Aug 11 13: 7:41 2000
Delivered-To: cvs-all@freebsd.org
Received: from lion-around.at.yiff.net (lion-around.at.yiff.net [209.54.21.199])
	by hub.freebsd.org (Postfix) with ESMTP
	id CA43C37B917; Fri, 11 Aug 2000 13:07:26 -0700 (PDT)
	(envelope-from chris@netmonger.net)
Received: (from chris@localhost)
	by lion-around.at.yiff.net (8.9.3/8.9.3) id QAA93981;
	Fri, 11 Aug 2000 16:06:53 -0400 (EDT)
	(envelope-from chris@netmonger.net)
X-Authentication-Warning: lion-around.at.yiff.net: chris set sender to chris@netmonger.net using -f
Date: Fri, 11 Aug 2000 16:06:53 -0400
From: Christopher Masto <chris@netmonger.net>
To: Warner Losh <imp@village.org>
Cc: John Hay <jhay@icomtek.co.za>, Mark Murray <mark@grondar.za>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile
Message-ID: <20000811160642.D12290@netmonger.net>
References: <200008111945.e7BJjlj58635@zibbi.mikom.csir.co.za> <200008111948.NAA60882@harmony.village.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <200008111948.NAA60882@harmony.village.org>; from imp@village.org on Fri, Aug 11, 2000 at 01:48:08PM -0600
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Aug 11, 2000 at 01:48:08PM -0600, Warner Losh wrote:
> Yes.  That's what convinced me that we want to update their suidperl,
> but set it to mode 0.

There is precedent:

    SuSE distributions are not susceptible to this problem because
    /usr/bin/suidperl is mode 755 (not suid) by default. Administrators
    must explicitly have enabled suidperl by changing the permission modes
    of the interpreter to 4755 root.root (suid root) for the exploit
    mechanism to work.

    In SuSE-Linux, activating suidperl is done by changing one of the
    files /etc/permissions.(easy|secure) and running SuSEconfig or
    `chkstat -set /etc/permissions.(easy|secure)', alternatively,
    depending on the setting of PERMISSION_SECURITY in /etc/rc.config.
    If SuSEconfig is turned off completely, the administrator of the
    system is obliged to change the permission modes by hand.
    The decision to not activate suidperl has been made because
    security problems were expected in the wild.

It seems like a reasonable idea.
-- 
Christopher Masto         Senior Network Monkey      NetMonger Communications
chris@netmonger.net        info@netmonger.net        http://www.netmonger.net

Free yourself, free your machine, free the daemon -- http://www.freebsd.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message