Bugtraq mailing list archives
Re: permissions
From: rwing!pat () ole cdac com (Pat Myrto)
Date: Tue, 17 May 94 7:18:48 PDT
"In the previous message, Evil Pete said..."
"Pat Myrto" has been known to say:There is a patch, that is nothing more than a script that improves the perms that is available, at least for SunOS 4.1.x. As you point out it changes /etc/ from bin to root, and the same with a lot of other subdirs. How complete it is, I don't know but it is far better than the original.To get the permissions right under SunOS you have to do it yourself mount: / rw,nosuid /usr ro /var rw,nosuid /home rw,nosuid /tmp rw,nosuid /usr/local ro
That is something I must try - I was lead to believe the nosuid option applied only to NFS mounts. The script I mentioned is far better than nothing, its main impact is the ownership of the subdirs. Stuff like /etc, and so on ship owned by bin, which is no good at all, especially on diskless stations, and/or stations on the local network where the user has root privs on his workstation. While root is supposed to map to nobody on an nfs mount (unless the root option is specified), bin maps to bin, making it irrelevant who owns /etc/passwd, and so on if one has access to bin on the client machine... I will most definitely try that nosuid and ro combo on regular mounts, especially for subdirs writeable by users, as there is no earthly reason most users need to run any SUID anything programs in their home subdir area - even suid to themselves. Thanks for pointing that out!
and for automount/afs users: /net rw,nosuid,nodev
Automount is a feature I have not tried - from all accounts one gets the feeling it is more headache than its worth. What is the gain that warrants all the hassles? I recall that is less than robust.
this way there is not place to install a setuid program/backdoor and most of the system binaries are on a readonly partition.
That is a good point. The only problem with making /usr/local readonly is that one must bring the system down to single user to install or update anything, so there would be a tradeoff. Still, being aware of that option, one can make an informed decision whether making local ro is desired. Your partition arrangement above is EXACTLY like mine other than the ro and nosuid options, and order of mounting: /, /usr, /tmp, /usr/local, /var, home. I will be adding other stuff on top, mostly under /var or /var/spool when I add more drives (like /var/spool/news, etc).
as for sun automount (afs is better :-) I find most sites that setup /net forget to disable setuid, thus anyone can get root my typing the command: /net/unsecure.host.another.dom/tmp/make_be_root
I am not sure what you are talking about here 'make_be_root'. Isn't the suid problem something that exists on all the nfs mounts, other than the user effectively does a mount himself by virtue of accessing the subdir in question? Is this a problem inherent in automount? -- pat@rwing [If all fails, try: rwing!pat () ole cdac com] Pat Myrto - Seattle WA "No one has the right to destroy another person's belief by demanding empirical evidence." -- Ann Landers, nationally syndicated advice columnist and Director at Handgun Control Inc.
Current thread:
- Re: Time For New Security Package? (was Re: new iss stuff), (continued)
- Re: Time For New Security Package? (was Re: new iss stuff) Oliver Friedrichs (May 11)
- ANNOUNCING THE [8LGM] FILESERVER & MAILING LIST INFO Karl Strickland (May 14)
- Re: Time For New Security Package? (was Re: new iss stuff) Gene Spafford (May 14)
- The ISS Program Paul Robinson (May 10)
- wolves and sheep on the inet Timothy Newsham (May 11)
- Re: wolves and sheep on the inet Gene Spafford (May 13)
- Re: wolves and sheep on the inet Steve Simmons (May 13)
- permissions Perry E. Metzger (May 16)
- Re: permissions Pat Myrto (May 16)
- Re: permissions Evil Pete (May 17)
- Re: permissions Pat Myrto (May 17)
- Re: permissions Gene Spafford (May 17)
- Re: permissions Evil Pete (May 18)
- Re: permissions Evil Pete (May 18)
- [8lgm]-Advisory-7.UNIX.passwd.11-May-1994.NEWFIX [8LGM] Security Team (May 13)
- iss equivalents *Hobbit* (May 11)
- Source vs. binary for tools Jeremy Epstein -C2 PROJECT (May 12)
- runaway lockd problems (SunOS 4.1.3) Pat Myrto (May 12)
- [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 [8LGM] Security Team (May 12)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Pat Myrto (May 13)
- Re: [8lgm]-Advisory-7.UNIX.passwd.11-May-1994 Gene Spafford (May 13)