Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 30 Mar 2002 14:44:51 -0800
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        peter.lai@uconn.edu
Cc:        Jason Stone <jason-fbsd-security@shalott.net>, security@FreeBSD.ORG
Subject:   Re: make world and setuid bits
Message-ID:  <20020330144451.B99214@blossom.cjclark.org>
In-Reply-To: <20020330041052.C67123@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Sat, Mar 30, 2002 at 04:10:52AM -0500
References:  <20020328121850.D97841@blossom.cjclark.org> <20020328161518.R5333-100000@walter> <20020328174304.L97841@blossom.cjclark.org> <20020330041052.C67123@cowbert.2y.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, Mar 30, 2002 at 04:10:52AM -0500, Peter C. Lai wrote:
> Can we at least have the option of being able to either
> 
> 1. not build at all
> 
> 	or
> 
> 2. not setuid
> 
> on stuff that should never be used (such as rlogin, rsh, rcp) 
> on modern networks

Send patches.

> Similarly, very few people use sliplogin (or SLIP at all) or UUCP nowadays

uucp(1) is gone in -CURRENT.

> and finally, some installations don't require yp*.
> I found out that I can use yp* to grab the shadow password file
> from a solaris server on the network. I don't want that to happen
> if someone got to my box. (Needless to say, I don't use NIS
> to authenticate for anything on this segment).

You are only vulnerable to something like this when you're actually
running ypserv(8). As for the NIS stuff built into commands like
passwd(1), it doesn't present much of a security risk.

If you _really_ don't want to build NIS support, NIS is basically
turned on by adding '-DYP' to CFLAGS in some Makefiles. You can
take all of those back out and see what breaks. Again, feel free to
send patches if you can devise a NO_YP knob to handle that.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020330144451.B99214>