Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 30 Mar 2012 17:16:03 +0200
From:      "Julian H. Stacey" <jhs@berklix.com>
To:        arch@freebsd.org
Subject:   Should standard binaries & directories revert from uid=root to bin ?
Message-ID:  <201203301516.q2UFG3ee013758@fire.js.berklix.net>
next in thread | raw e-mail | index | archive | help 
Hi arch@
Time was, (& I can go back over 25 years here, but more recently too :-)
When standard Unix non SUID executables such as wc would be UID=bin,
GID=bin, & not root.  Ditto bin/ & lib/ etc directories.

One advantage was:
  Anything that showed up with ls -l as UID=0 was either a SUID
  special, known to the admin's eye, or some administrative dropping,
  mistakenly created by someone logged in as root, to be reviewed/
  regenerated/ deleted.

Now all is UID=0.  Why ? What advantage did it bring ?

Obviously some SUID & SGID executables need 0 (some could need just bin!)
but most files & directories do not need UID 0.

BTW, How I noticed this : 
  I was tracing why 
	/usr/sbin/sshd -d -d -d -D
  was erroring:
	debug3: secure_filename: checking '/.amd_mnt/sshd_host/ad4s1/usr1/home'
        Authentication refused: bad ownership or modes for directory
		 /.amd_mnt/sshd_host/ad4s1/usr1/home
  just because my ~/.ssh was symbolicaly linked via AMD+NFS mounted on another
  host, & there an intermediate directory was owned by bin & not root,
	ls -la /host/sshd_host/ad4s1/usr1/home 
        	drwxr-xr-x  18 bin     bin       512 Mar  6 11:56 ./
  so I had to
	chown root:wheel /ad4s1/usr1/home
  Just to satisfy sshd being pointlessly strict, as directory was 755.

So we have sshd that's pointlessly strict, & ownerships that seem
to have near all lost their precision. A funny combo ;-)

Might others tackle the generic over use of root ?
If so I could create a patch to send-pr ssh  ? 
(but as ssh is an import, maybe just report & not [yet?] patch ?)

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com
 Reply below not above, cumulative like a play script, & indent with "> ".
 Format: Plain text. Not HTML, multipart/alternative, base64, quoted-printable.
	Mail from @yahoo dumped @berklix.  http://berklix.org/yahoo/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201203301516.q2UFG3ee013758>