Date: Tue, 22 Jul 1997 11:25:58 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: sthaug@nethelp.no Cc: terry@lambert.org, hackers@FreeBSD.ORG Subject: Re: sendmail complains about being unable to write his pid file Message-ID: <199707221825.LAA13692@phaeton.artisoft.com> In-Reply-To: <2688.869556341@verdi.nethelp.no> from "sthaug@nethelp.no" at Jul 22, 97 09:25:41 am
next in thread | previous in thread | raw e-mail | index | archive | help
> The only argument I've heard so far *for* the bin ownership is Terry > Lambert's: There is also the "It's historically BSD" argument. This particular argument seems strong enough to keep us in the dark ages with regard to centralization of system configuration data, and in regard to seperate startup scripts for support of third party application installs/deinstalls without rc file munging. So why isn't the "history" argument good enough here? > > The ability to update machines remotely via NFS, which proxies root > > as "nobody" in most sane configurations. > > But if you export the file systems read-only, you can't perform remote > updates via NFS. This was a seperate suggestion for those people too anal to accept the "Oh, no! They've compromised 'bin' after compromising 'root' on the client machine!" argument. > If you *do* export the file systems read-write, in order > to enable remote updates, you're at the mercy of any machine that can mount > file systems (or guess file handles) from your machine. This is why you have netgroups: so that for all machines but the machine allowed to originate updates, it's read-only; for the machine allowed to originate updates, it's read/write. There are many, many ways to compromise an NFS server machine; not all of them rely on NFS. > In the absence of NFS, having a program owned by root instead of bin may > not be more secure. But it is certainly no *less* secure - if my root > account is cracked then file ownership of bin means nothing anyway. Not true. In order to crack bin, one *must* crack root. There is no way to proxy a bin credential otherwise. On the other hand, root ownership is certainly how SVR4 does it; that should endear the idea to everyone. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707221825.LAA13692>