Date: Tue, 10 Sep 1996 17:42:38 -0600 (MDT) From: Marc Slemko <marcs@alive.ampr.ab.ca> To: John Paul Lonie <jlo@fmsc.com.au> Cc: freebsd-security@freebsd.org Subject: Re: suid/sguid files Message-ID: <Pine.BSF.3.95.960910173434.13605C-100000@alive.ampr.ab.ca> In-Reply-To: <3.0b11.32.19960910190410.006e4c94@203.4.181.10>
next in thread | previous in thread | raw e-mail | index | archive | help
I started putting together a file running through all the setuid files on a default FreeBSD install and making suggestions about what happens if you remove the setuid bit, and what alternatives there are. I hope to finish it up and get around to posting it sometime. In the meantime, a few comments about a few of the items mentioned. On Tue, 10 Sep 1996, John Paul Lonie wrote: > Hello all, > > Just wondering what the effect would be on removing the set u/g of > the following files. Most of these are -s kmem or tty or dialer. > > First of all what difference would the kmem ones have on the root users use > of these files, I presume nothing but I wouldn't mind being certain. In general, unless files are setuid something other than root, removing the setuid and setgid bits will no result in any change in behavior when root runs them. > I suppose the real question is does anything fall over if the kem /tty > groups are changed on systems with only the root user. There should be no systems with only root. Limit your losses; if you aren't running as root all the time, you can't hurt as much. sudo is magic. > /sbin/dump - why is this tty ? -r-sr-sr-x 1 root tty 188416 Jul 17 03:23 > dump As someone has already pointed out, it is for use in conjunction with the n option which notifies those in the group operator when it needs attention. > /usr/bin/login Setuid can be taken off login as long as you don't need to allow users who are already logged in to login with a different name and password by execing login. > /usr/bin/su You probably want to keep su setuid unless you use something like sudo. Never long as root, use su or sudo. > /usr/bin/wall Does this affect the shutdown scripts ? No. shutdown uses wall, but it runs as root anyway so who cares. > /usr/libexec/mail.local Removing the setuid bit breaks local mail delivery.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.960910173434.13605C-100000>