From owner-freebsd-security Mon Nov 16 22:42:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA25669 for freebsd-security-outgoing; Mon, 16 Nov 1998 22:42:16 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from david.siemens.de (david.siemens.de [192.35.17.14]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA25642 for ; Mon, 16 Nov 1998 22:42:08 -0800 (PST) (envelope-from andre.albsmeier@mchp.siemens.de) X-Envelope-Sender-Is: andre.albsmeier@mchp.siemens.de (at relayer david.siemens.de) Received: from mail.siemens.de (salomon.siemens.de [139.23.33.13]) by david.siemens.de (8.9.1a/8.9.1) with ESMTP id HAA11273 for ; Tue, 17 Nov 1998 07:41:41 +0100 (MET) Received: from curry.mchp.siemens.de (daemon@curry.mchp.siemens.de [146.180.31.23]) by mail.siemens.de (8.9.1a/8.9.1) with ESMTP id HAA12556 for ; Tue, 17 Nov 1998 07:41:41 +0100 (MET) Received: (from daemon@localhost) by curry.mchp.siemens.de (8.8.8/8.8.8) id HAA27300 for ; Tue, 17 Nov 1998 07:41:41 +0100 (CET) Message-ID: <19981117074138.A11602@internal> Date: Tue, 17 Nov 1998 07:41:38 +0100 From: Andre Albsmeier To: Nate Williams , Warner Losh Cc: Andre Albsmeier , Matthew Dillon , freebsd-security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? References: <19981116072937.E969@internal> <19981115192224.A29686@internal> <19981115161548.A23869@internal> <199811151758.JAA15108@apollo.backplane.com> <199811152210.PAA01604@harmony.village.org> <199811160658.XAA01912 < <19981116125909.A28486@internal> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: <199811161940.MAA19331@mt.sri.com>; from Nate Williams on Mon, Nov 16, 1998 at 12:40:12PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Nov 16, 1998 at 12:40:12PM -0700, Nate Williams wrote: > > : That is exactly my opinion. I think a program should run with the > > : minimum privileges it really needs to and not more. > > > > I still think that it is a lot of effort for just one or two > > programs. xlock and xlockmore (basically the same program) are the > > only two programs that I'm aware of that need to access the password > > file and not change the uid of the process. Where are the rest of the > > half dozen :-)... > > The other issue is since they will no longer be setuid(), someone can > crash them and get the passwd file from them to crack later or we'd have > to change all of the 'don't dump core' code to look for setgid(passwd) > stuff. All of a sudden this 'simple fix' gets to be obnoxious and isn't > buying us a whole lot. That means that setuid progs don't dump core. I didn't know that but it sounds reasonable, of course. > > Setuid is *NOT* evil in all cases, you simply must be careful. The fact > of the matter is *some* programs must have root priviledges to do their > job securely and/or at all. I just was alarmed by xlockmore that a program runs setuid root all the time only to check the password the user enters. And, regardless whether xlockmore has known bugs or not, this applies to all screen savers. They do rather complex stuff from time to time and therefore it's likely they crash. > > > > > Nate -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message