Subject: Re: Library permissions and security
To: Stephen J. Roznowski <sjr@zombie.ncsc.mil>
From: Tobias Weingartner <weingart@austin.BrandonU.CA>
List: current-users
Date: 03/29/1994 11:38:27
You write:
#
# > From: "Chris G. Demetriou" <cgd@postgres.Berkeley.EDU>
# > > A while ago, there was a discussion about gaining root access via suid
# > > programs through exploiting libcrypt.so.*. Well, since the libraries
# > > are installed with owner bin (group bin), it appears that if you are
# > > able to become bin on a system, gaining root is trivial.
# >
# > if you are able to gain user 'bin', you can do damn near anything
# > you want. have you looked at the ownership of /bin/sh lately?
#
# No argument here.... Should the bsd.own.mk files be updated to install
# stuff with owner root?
No. It is quite usefull having to not *be* root, but do some simple
maintenance. Just like it is useful to have a mail group, etc...
--Toby.
-----------------------------------------------------------------
| Tobias Weingartner | PGP2.x Public Key available at |
| (204)725-3342 | 'finger weingart@austin.BrandonU.CA' |
| %SYSTEM-F-ANARCHISM, the operating system has been overthrown |
-----------------------------------------------------------------
------------------------------------------------------------------------------