Subject: Re: misc/143: Setuid programs installed unreadable
To: Arne Juul <arnej@dsl.unit.no>
From: Chris G. Demetriou <cgd@postgres.Berkeley.EDU>
List: netbsd-bugs
Date: 02/28/1994 16:46:58
> >Description:
> 	Several setuid programs, like crontab, is installed without
> 	read permission. This is (in my eyes) a hopeless security-
> 	through-obscurity measure with no positive effects, and
> 	hinders me from strings'ing or ftp'ing these binaries as
> 	a normal user. (If there is some actual reason why these
> 	programs aren't readable, please tell me :-)
> >How-To-Repeat:
> 	ls -l /usr/bin/tip /usr/bin/crontab /sbin/disklabel /sbin/init /sbin/shutdown

for disklabel, init, shutdown, and tip, there is NO reason whatsoever
to change this.  none of them are executable by 'other,' so why should
'other' be able to read them?

as for 'crontab' some would argue that making it readable is OK,
but i think leaving it unreadable is a reasonable security measure to
take.


Feel free to install these programs however you'd like on your local
system, but i'd definitely argue against those patches going into
the main source tree.




cgd

------------------------------------------------------------------------------