Date: Fri, 20 Sep 2002 16:51:39 -0600 From: Andy <seahorse51@attbi.com> To: "Jack L. Stone" <jackstone@sage-one.net>, freebsd-questions@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: options SUIDDIR Message-ID: <5.1.1.6.0.20020920164541.03859bb8@mail.seahorse.wsonline.net> In-Reply-To: <3.0.5.32.20020920173328.00e8d428@mail.sage-one.net> References: <5.1.1.6.0.20020919154959.02f7b008@mail.seahorse.wsonline.n et>
next in thread | previous in thread | raw e-mail | index | archive | help
At 16:33 09/20/2002, Jack L. Stone wrote: >At 04:00 PM 9.19.2002 -0600, Andy wrote: > >I have been researching the use of "options SUDIDIR" in the kernel. I have > >noted several warnings about the use of this option being a security issue, > >but I have as of yet to read or see any explanation as to what kind of > >security issue its use represents. > > > >Any assistance in an explanation concerning this would be very much > >appreciated. > > > >Andy > > > > > >I have this in my kernel from when I used the base system FTP server, but >since swithing to ProFTP, I have not seen a use for it and was planning to >remove on next compile of the kernel..... > >What uses do you have in mind. Maybe I'll leave it in if really useful for >some other app. > >Best regards, >Jack L. Stone, >Administrator I would like to be able to use it to ensure that file ownerships are correct in user home directories. Most files that are created via scripts and the web server take on the ownership of whatever the Web server is being run as. This makes it difficult for someone to remove them if they so desire. The only warnings I have seen indicate that it is a security risk in the event, that shell access is permitted on servers that use the SUIDDIR option. I have not as of yet been able to discover what kind of security risk this represents and/or how it can be exploited. As with anything, one can not make an educated decision without having all of the facts or details concerning the issue in question. Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20020920164541.03859bb8>