Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 3 Jul 110 15:28:56 -0700 (PDT)
From:      Jim Dennis <jimd@mistery.mcafee.com>
To:        fqueries@jraynard.demon.co.uk (James Raynard)
Cc:        tcg@ime.net, dwhite@resnet.uoregon.edu, questions@freebsd.org
Subject:   Re: src tree owners
Message-ID:  <201007032228.PAA24532@mistery.mcafee.com>
In-Reply-To: <199607022008.UAA00658@jraynard.demon.co.uk> from "James Raynard" at Jul 2, 96 08:08:03 pm
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> > > > On Unix, the `proper` way is for configuration files to be owned by
> > > > root - it's not a good idea to allow just anybody to change them!
> > > 
> > > I Agree! My question was/is about the Source tree!
> 
> I originally wrote "critical files such as source code or
> configuration files", then changed my mind and deleted the wrong bit.
> Sorry about that :-(
> > 	You might consider simply adding yourself to the 'bin' group
> Yep, just edit /etc/group.
> > 	(and setting the SGID bit on the directories).  The default
> Actually, there's no need to set the SGID bit on the directories, as
> BSD systems automatically pass the group ownership on to any new
> sub-directories created in the current directory - see mkdir(2).
> 
> > 	configuration seems to leave the sources g+w and owned by 
> > 	root.bin.
> 
> Something that just occurred to me - doesn't some network backup
> software require a .rhosts file for the user "bin"? If so, doesn't
> this leave the system source code potentially vulnerable?

	I agree.  I was thinking of going in and chown'ing those to 
	root.root or chmod'ing them them to 600.
> 
> > 	In a multi-user environment you should consider installing
> > 	tripwire and being particularly careful to monitor it for
> > 	source tree changes.  Anyone who can get a simply change into
> > 	any source file -- and get 'root' to build it can effectively
> > 	take control of the entire system. (This is true of the system
> > 	binaries as well -- but more insidious).
> Very true.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007032228.PAA24532>