From owner-freebsd-security Mon Feb 17 09:24:16 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA28707 for security-outgoing; Mon, 17 Feb 1997 09:24:16 -0800 (PST) Received: from perki0.connect.com.au (perki0.connect.com.au [192.189.54.85]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA28700 for ; Mon, 17 Feb 1997 09:24:13 -0800 (PST) Received: from nemeton.UUCP (Unemeton@localhost) by perki0.connect.com.au with UUCP id EAA19455 (8.7.6h/IDA-1.6); Tue, 18 Feb 1997 04:22:39 +1100 (EST) X-Authentication-Warning: perki0.connect.com.au: Unemeton set sender to giles@nemeton.com.au using -f Received: from localhost.nemeton.com.au (localhost.nemeton.com.au [127.0.0.1]) by nemeton.com.au (8.8.5/8.8.5) with SMTP id UAA18958; Mon, 17 Feb 1997 20:49:20 +1100 (EST) Message-Id: <199702170949.UAA18958@nemeton.com.au> To: stefan.arentz@luna.net (Stefan Arentz) cc: security@freebsd.org Subject: Re: (fwd) Re: Shell Access In-reply-to: <19970217005715.SA06934@blah.rotterdam.luna.net> Date: Mon, 17 Feb 1997 20:49:20 +1100 From: Giles Lean Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Mon, 17 Feb 1997 00:57:15 +0100 Stefan Arentz wrote: > Isn't it possible to block root hacks with a wrapper around the kernel's > setuid()/seteuid()/setgid()/setegid() system call implementation that > can deny the call on basis of the user id that is requesting the change > of credentials? Rather than do this, take the setuid bits off the things you want to protect and use a program supporting explicit access lists and logging to run these programs. (Think 'sudo', 'priv' etc.) In the case of commercial OSes, lots of things with setuid bits set don't need to be setuid since it doesn't make sense for anyone other than root to run them. (Minor success report: I've had two setuid bits removed from HP-UX. :-) Giles