Date: Mon, 04 Jan 1999 22:53:59 +0100 From: Gary Jennejohn <garyj@peedub.muc.de> To: freebsd-isdn@FreeBSD.ORG Subject: Re: regexp program Message-ID: <199901042153.WAA08158@peedub.muc.de> In-Reply-To: Your message of "Mon, 04 Jan 1999 21:43:03 %2B0100." <Pine.GSO.3.96.990104213249.5700A-100000@sun-chris.medis.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Christian Wolf writes: > >Hi! > >On Mon, 4 Jan 1999, Hellmuth Michaelis wrote: > >> On Mon, Jan 04, 1999 at 08:06:13PM +0100, Wilko Bulte wrote: >> > >> > Security is a concern, true. It would be the (sick) hack of the >> > century if you could stick a regexp/regprog in somebody's isdnd.rc >> > that did (e.g) 'dd if=/dev/zero of=/dev/rsd0c' > >If I could stick a regexp/regprog in somebody's isdnd.rc I can do >a 'dd if=/dev/zero of=/dev/rsd0c' as well, can't I? > you lack the true hacker mentality ;-) It's the Trojan Horse aspect which makes it interesting. >> > In that respect I'd say it might make sense to not execute the regprog as >root. >> > It looks like isdnd/exec.c just execs whatever you feed it. Maybe a setuid >(nobody) >> > first? >> >> Something like that - on the other side: who should be permitted to access >> /dev/i4b* and wouldn't it be appropriate at this time to add group "isdn" >> to /etc/groups? >> >> I really didn't thought about all this stuff much, what do other people >> think about that ? >> >> Thoughts, comments ? > >Make isdnd check the owner and permission of isdnd.rc. If it is >not owned by root(0) or has not a mode like 0644 isdnd should refuse it. > it's not isdnd.rc that's of concern, it's the program pointed at by the regprog entry. I think Wilko's suggestion of changing the uid is probably the simplest and most secure way to handle this issue. Of course, if we had a group isdn we could change the gid. Obviously, regprog would have to be executable for group isdn in that case. Regarding /dev/i4b*, leave them only accessible for root. isdnd runs as root and noone really has any business playing around with these devices. --- Gary Jennejohn Home - garyj@muc.de Work - garyj@fkr.dec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isdn" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199901042153.WAA08158>