From owner-freebsd-security Fri Sep 20 15:51:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11B0537B401; Fri, 20 Sep 2002 15:51:43 -0700 (PDT) Received: from wso-h001.wsonline.net (12-254-8-189.client.attbi.com [12.254.8.189]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F71C43E42; Fri, 20 Sep 2002 15:51:42 -0700 (PDT) (envelope-from seahorse51@attbi.com) Received: from seahorse.attbi.com (trilluser@seahorse [192.168.1.101]) by wso-h001.wsonline.net (8.12.5/8.12.5) with ESMTP id g8KMpepI002906; Fri, 20 Sep 2002 16:51:41 -0600 (MDT) (envelope-from seahorse51@attbi.com) Message-Id: <5.1.1.6.0.20020920164541.03859bb8@mail.seahorse.wsonline.net> X-Sender: seahorse@mail.seahorse.wsonline.net X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Fri, 20 Sep 2002 16:51:39 -0600 To: "Jack L. Stone" , freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG From: Andy Subject: Re: options SUIDDIR In-Reply-To: <3.0.5.32.20020920173328.00e8d428@mail.sage-one.net> References: <5.1.1.6.0.20020919154959.02f7b008@mail.seahorse.wsonline.n et> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 16:33 09/20/2002, Jack L. Stone wrote: >At 04:00 PM 9.19.2002 -0600, Andy wrote: > >I have been researching the use of "options SUDIDIR" in the kernel. I have > >noted several warnings about the use of this option being a security issue, > >but I have as of yet to read or see any explanation as to what kind of > >security issue its use represents. > > > >Any assistance in an explanation concerning this would be very much > >appreciated. > > > >Andy > > > > > >I have this in my kernel from when I used the base system FTP server, but >since swithing to ProFTP, I have not seen a use for it and was planning to >remove on next compile of the kernel..... > >What uses do you have in mind. Maybe I'll leave it in if really useful for >some other app. > >Best regards, >Jack L. Stone, >Administrator I would like to be able to use it to ensure that file ownerships are correct in user home directories. Most files that are created via scripts and the web server take on the ownership of whatever the Web server is being run as. This makes it difficult for someone to remove them if they so desire. The only warnings I have seen indicate that it is a security risk in the event, that shell access is permitted on servers that use the SUIDDIR option. I have not as of yet been able to discover what kind of security risk this represents and/or how it can be exploited. As with anything, one can not make an educated decision without having all of the facts or details concerning the issue in question. Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message