Date: Wed, 03 Nov 1999 07:21:20 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: cjclark@home.com Cc: beaupran@iro.umontreal.ca (Spidey), peter.jeremy@alcatel.com.au, freebsd-security@FreeBSD.ORG Subject: Re: Examining FBSD set[ug]ids and their use Message-ID: <199911031521.HAA25358@cwsys.cwsent.com> In-Reply-To: Your message of "Mon, 01 Nov 1999 23:49:57 EST." <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199911020449.XAA03496@cc942873-a.ewndsr1.nj.home.com>, "Crist J. Cl
ark" writes:
> Spidey wrote,
> > > ># Allow users to bind on a socket (which? where?)
> > > > ping mode=4555
> > > Needed to allow ordinary mortals to sent raw IP (ICMP) packets.
> >
> > I don't think this should be enable by default... on a shell box, this
> > could cause some pretty dense headaches...
>
> You don't think mortal users should be able to ping? IMHO, ping is a
> _very_ basic utility that generally should be turned on. I don't want
> to have to 'su' to root everytime I want to ping a host to see if it
> is awake. Same goes for traceroute(8).
I've seen and tried ping exploits for Sun and DEC platforms that are
supposed to relinquish root to an attacker, though my tests have crashed
the boxes rather than relinquish root.
Something my team has been discussing, without consensus of course,
is providing sudo access to ping to users we trust.
>
> If you want to turn off the setuid (in which case you might as well
> chmod to 700 as well), you can, but I really don't see it as the
> default setup.
Agreed.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Sun/DEC Team, UNIX Group Internet: Cy.Schubert@uumail.gov.bc.ca
ITSD Cy.Schubert@gems8.gov.bc.ca
Province of BC
"e**(i*pi)+1=0"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911031521.HAA25358>