Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Bill Vermillion (bvwjv.com)
Date: Wed Apr 24 2002 - 07:57:45 CDT
> Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
> Date: Tue, 23 Apr 2002 15:37:04 -0700 (PDT)
> From: Jason Stone <jasonshalott.net>
> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
[someone else said]
> > I see see this a lot. Why if the answer is always "all of
> > them" isn't FreeBSD distributed, and patched, and whatever so
> > this is already true.
> > I can't believe that FreeBSD would allow their system to have these
> > suid bits set if they weren't supposed to be that way.
To which Jason replied:
> If a program has the setuid bit turned on, it will run as the
> user who owns the program rather than the user who's running
> it. In general, this is a bad idea because fundamentally, users
> should not be able to run code as other users. However, there
> are some programs which must run as root for either all or part
> of their functionality and are therefore setuid.
I have used database programs that run SUID the database owner
so that only those who access to the database and run the SUID
program can modify/see the database files.
> However, if you either don't need that program at all, or don't
> need the functionality that requires root priveleges, you can
> remove the setuid bit to increase system security.
There are other things that run SUID that are not SUID root.
man runs as suid man, uucp programs typically run suid uucp, and
my news program runs suid news. There are legitimate reasons for
running programs suid other than root.
setuid.today under /var/log will show you just what is there.
So you many not want to blindly remove all SUID bits. One of the
other posters showed a script for removing all SUID bits, and that
may not be what you want, unless you have checked them all first.
> So while each setuid program has a reason for being setuid,
> that doesn't mean that any given box needs each to be setuid.
Correct. And I'm just pointing that suid doesn't always mean suid
root, which seem to be a prominent theme in this thread.
-- Bill Vermillion - bv wjv . com
To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message