Re: make world and setuid bits

From: Peter C. Lai (sirmoo@cowbert.2y.net)
Date: 03/30/02


Date: Sat, 30 Mar 2002 04:10:52 -0500
From: "Peter C. Lai" <sirmoo@cowbert.2y.net>
To: "Crist J. Clark" <cjc@FreeBSD.ORG>

Can we at least have the option of being able to either

1. not build at all

        or

2. not setuid

on stuff that should never be used (such as rlogin, rsh, rcp)
on modern networks
Similarly, very few people use sliplogin (or SLIP at all) or UUCP nowadays

and finally, some installations don't require yp*.
I found out that I can use yp* to grab the shadow password file
from a solaris server on the network. I don't want that to happen
if someone got to my box. (Needless to say, I don't use NIS
to authenticate for anything on this segment).

I know you can turn off building stuff like lp*, sendmail, and bind tools.

On Thu, Mar 28, 2002 at 05:43:04PM -0800, Crist J. Clark wrote:
> On Thu, Mar 28, 2002 at 04:37:54PM -0800, Jason Stone wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> >
> > > > Are there make variables that can be set to prevent "make world" from
> > > > installing binaries as setuid? Currently, I always run something like
> > > > "find -perms -4000 | xargs chmod u-s" after doing a make world, but this
> > > > seems inelegant, prone to human error, and dangerous as there's a
> > > > (potentially quite long) period in which there are still many setuid
> > > > binaries....
> > > >
> > > > make options to allow the prevention of "setuid root", "all setuid",
> > > > or "all setuid and all setgid" would be nice.
> > >
> > > For the vast majority of users, having no setuid binaries is a really,
> > > really bad idea from a security standpoint. It forces you to do
> > > everything as root.
> >
> > 1) For server machines that have no non-root interactive users, the
> > "no setuid or setgid at all" option is a very good idea.
>
> Some sites may use this policy, but I would never like it. It requires
> direct logins as root.
>
> > 2) Even on machines that do have interactive users, there are many
> > environments where it's possible to turn off most of the setuid root
> > bits - I see no reason to let users on a shared machine run ping or
> > traceroute, rsh/rlogin should never be used at all, I can get away with
> > not providing crontab, most servers don't have printers attached and
> > therefore have no use for lpr, etc.
>
> passwd(1), at(1), crontab(1), login(1), su(1), some or most of those
> would be required for almost any multiuser installation.
>
> > So, given that there's decidedly some utility in doing this, is there any
> > reason to not do so?
>
> <insert the ususal arguments against rampant featurism here>
> <insert the ususal comparison to M$ OS featurism to needlessly incite
> emotional responses>
>
> If you can come up with some reasonably non-obtrusive patches to the
> build to control this with some make.conf(5) knobs, we can have a look
> at the practicallity.
> --
> Crist J. Clark | cjclark@alum.mit.edu
> | cjclark@jhu.edu
> http://people.freebsd.org/~cjc/ | cjc@freebsd.org
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Peter C. Lai
University of Connecticut
Dept. of Residential Life | Programmer
Dept. of Molecular and Cell Biology | Undergraduate Research Assistant
http://cowbert.2y.net/
860.427.4542 (Room)
860.486.1899 (Lab)
203.206.3784 (Cellphone)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


Relevant Pages

  • Re: make world and setuid bits
    ... >>> installing binaries as setuid? ... >> For the vast majority of users, having no setuid binaries is a really, ... > 1) For server machines that have no non-root interactive users, ... > reason to not do so? ...
    (FreeBSD-Security)
  • Re: make world and setuid bits
    ... >> installing binaries as setuid? ... >> period in which there are still many setuid ... For server machines that have no non-root interactive users, ... Here's what I worry about. ...
    (FreeBSD-Security)
  • Re: converting real media audio
    ... >> wrapper did not work correctlty. ... A possible reason is that the ... >> program you are trying to run is setuid. ...
    (freebsd-questions)
  • Real and effective uid in setuid executable
    ... I have a setuid executable which is written in C. ... the calling user if the executable is setuid root? ... Is there a good reason for this behaviour? ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: root password in a .py script
    ... > The script must run automaticly/programmaticly on 200 machines. ... Use `setuid' instead? ... HTH. ...
    (comp.lang.python)