Date: Fri, 28 Aug 1998 22:42:52 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: scex <scex@dqc.org> Cc: "Jeffrey J. Mountin" <jeff-ml@mountin.net>, security@FreeBSD.ORG Subject: Re: Shell history Message-ID: <Pine.BSF.4.02A.9808282239160.19658-100000@shell6.ba.best.com> In-Reply-To: <Pine.BSF.4.02.9808282218130.29890-100000@dqc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 28 Aug 1998, scex wrote: >> >> Once can just "cp" the executable. > >> >But in order to 'cp' you must be able to read. > >> >Why have more permissions than needed? > >> Uhm.. I don't have to read. If I want to execute something and it >> is in my path, I just "cp `which vi` ./..." and then "./..." > >> Taking away read permissions from directories such as /bin, /sbin >> and etc. is just security through obscurity IMHO unless you are doing some >> other things such as trusted path execution, chroot'ed environment, etc. > >[scex@twist] [~]$ cd bin >[scex@twist] [bin]$ ll bash >-rwx------ 1 scex users - 389120 Aug 20 03:31 bash* >[scex@twist] [bin]$ chmod 711 bash >[scex@twist] [bin]$ ll bash >-rwx--x--x 1 scex users - 389120 Aug 20 03:31 bash* >[scex@twist] [bin]$ su nobody >Password: >[nobody@twist] [bin]$ cp bash /tmp/... >cp: bash: permission denied > >no-one's talking about taking away read permissions from directories >(although that also has its applications); you have to have read >permission on a file to be able to copy it (unless you fancy mucking >around in /proc & streams). > >scex > > Hmm.. you are right, but what will stop an attacker who has freebsd box or has access to one to download the binary? -- Yan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.02A.9808282239160.19658-100000>