Subject: Re: BSD auth for NetBSD
To: None <tech-security@NetBSD.ORG, tech-userlevel@NetBSD.ORG>
From: Jun-ichiro itojun Hagino <itojun@itojun.org>
List: tech-userlevel
Date: 09/14/2003 08:07:51
one of the benefit of BSD auth (which has not been mentioned here)
is that it can reduce the number of setuid root programs directly
invoked from the user. programs that needs authentication just need
to be setgid "auth" (to access authentication programs under
/usr/libexec/auth). authentication logic
(i.e. /usr/libexec/auth/login_passwd) works in separate address space,
so there's less chance for bad guys to trick them.
with PAM, setuid programs(like /usr/bin/login) needs to stay setuid
root, and they have to introduce dlopen() which can open up a can
of worms.
itojun
itojun[starfruit:~] uname -a
NetBSD starfruit.itojun.org 1.6Z NetBSD 1.6Z (STARFRUIT) #461: Fri Sep 12 20:23:17 JST 2003 itojun@starfruit.itojun.org:/home/itojun/NetBSD/src/sys/arch/i386/compile/STARFRUIT i386
itojun[starfruit:~] ls -l `find /usr/bin -perm 4555 -print` `find /usr/sbin -perm 4555 -print`
-r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/at
-r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/atq
-r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/atrm
-r-sr-xr-x 4 root wheel 23284 Sep 6 21:30 /usr/bin/batch
-r-sr-xr-x 3 root wheel 19112 Sep 6 21:30 /usr/bin/chfn
-r-sr-xr-x 3 root wheel 19112 Sep 6 21:30 /usr/bin/chpass
-r-sr-xr-x 3 root wheel 19112 Sep 6 21:30 /usr/bin/chsh
-r-sr-xr-x 1 root wheel 24048 Sep 6 21:30 /usr/bin/crontab
-r-sr-xr-x 1 uucp wheel 119776 Sep 6 21:21 /usr/bin/cu
-r-sr-xr-x 3 root wheel 16832 Sep 6 21:31 /usr/bin/kpasswd
-r-sr-xr-x 1 root wheel 27296 Sep 6 21:30 /usr/bin/login
-r-sr-xr-x 3 root wheel 16832 Sep 6 21:31 /usr/bin/passwd
-r-sr-xr-x 1 root wheel 12108 Sep 6 21:31 /usr/bin/rlogin
-r-sr-xr-x 1 root wheel 4784 Sep 6 21:32 /usr/bin/skeyinfo
-r-sr-xr-x 1 root wheel 11532 Sep 10 20:09 /usr/bin/skeyinit
-r-sr-xr-x 1 root wheel 18444 Sep 6 21:31 /usr/bin/su
-r-sr-xr-x 1 uucp wheel 85852 Sep 6 21:21 /usr/bin/uucp
-r-sr-xr-x 1 uucp wheel 35580 Sep 6 21:21 /usr/bin/uuname
-r-sr-xr-x 1 uucp wheel 93984 Sep 6 21:21 /usr/bin/uustat
-r-sr-xr-x 1 uucp wheel 85804 Sep 6 21:21 /usr/bin/uux
-r-sr-xr-x 3 root wheel 16832 Sep 6 21:31 /usr/bin/yppasswd
-r-sr-xr-x 1 root wheel 15336 Sep 6 21:35 /usr/sbin/mrinfo
-r-sr-xr-x 1 root wheel 26504 Sep 6 21:46 /usr/sbin/mtrace
-r-sr-xr-x 1 root wheel 185432 Sep 6 21:36 /usr/sbin/pppd
-r-sr-xr-x 1 root wheel 8812 Sep 6 21:36 /usr/sbin/sliplogin
-r-sr-xr-x 1 root wheel 14912 Sep 6 21:36 /usr/sbin/timedc
-r-sr-xr-x 1 root wheel 19436 Sep 6 21:36 /usr/sbin/traceroute
-r-sr-xr-x 1 root wheel 18288 Sep 6 21:37 /usr/sbin/traceroute6
itojun[starfruit:~] ls -l `find /usr/bin -perm 2555 -print` `find /usr/sbin -perm 2555 -print`
-r-xr-sr-x 1 root kmem 18336 Sep 6 21:30 /usr/bin/fstat
-r-xr-sr-x 1 root auth 7912 Sep 10 19:40 /usr/bin/lock
-r-xr-sr-x 1 root kmem 5996 Sep 6 21:31 /usr/bin/modstat
-r-xr-sr-x 1 root kmem 110200 Sep 12 19:42 /usr/bin/netstat
-r-xr-sr-x 1 root kmem 34940 Sep 6 21:31 /usr/bin/pmap
-r-xr-sr-x 2 root kmem 83752 Sep 6 21:31 /usr/bin/sysstat
-r-xr-sr-x 2 root kmem 83752 Sep 6 21:31 /usr/bin/systat
-r-xr-sr-x 1 root kmem 31260 Sep 6 21:32 /usr/bin/vmstat
-r-xr-sr-x 1 root tty 11528 Sep 6 21:32 /usr/bin/wall
-r-xr-sr-x 1 root tty 10728 Sep 6 21:32 /usr/bin/write
-r-xr-sr-x 1 root daemon 27840 Sep 6 21:35 /usr/sbin/lpc
-r-xr-sr-x 1 root maildrop 75824 Sep 6 21:26 /usr/sbin/postdrop
-r-xr-sr-x 1 root maildrop 67200 Sep 6 21:26 /usr/sbin/postqueue
-r-xr-sr-x 1 root kmem 18348 Sep 6 21:36 /usr/sbin/pstat
-r-xr-sr-x 1 root kmem 7696 Sep 6 21:36 /usr/sbin/slstats
-r-xr-sr-x 1 root kmem 10120 Sep 6 21:36 /usr/sbin/trpt
-r-xr-sr-x 1 root kmem 10056 Sep 6 21:36 /usr/sbin/trsp
itojun[tapioca:~] uname -a
OpenBSD tapioca.itojun.org 3.4 GENERIC#79 macppc
itojun[tapioca:~] ls -l `find /usr/bin -perm 4555 -print` `find /usr/sbin -perm 4555 -print`
-r-sr-xr-x 3 root bin 21576 Sep 12 20:20 /usr/bin/chfn
-r-sr-xr-x 3 root bin 21576 Sep 12 20:20 /usr/bin/chpass
-r-sr-xr-x 3 root bin 21576 Sep 12 20:20 /usr/bin/chsh
-r-sr-xr-x 1 root bin 21572 Sep 12 20:20 /usr/bin/passwd
-r-sr-xr-x 1 root bin 17316 Apr 14 2002 /usr/bin/rlogin
-r-sr-xr-x 1 root bin 8436 Sep 12 20:20 /usr/bin/rsh
-r-sr-xr-x 1 root bin 11684 Sep 12 20:20 /usr/bin/su
-r-sr-xr-x 1 root bin 91276 Sep 12 20:20 /usr/bin/sudo
-r-sr-xr-x 1 root bin 192492 Sep 12 20:21 /usr/sbin/timedc
-r-sr-xr-x 1 root bin 198980 Sep 12 20:21 /usr/sbin/traceroute
-r-sr-xr-x 1 root bin 196764 Sep 12 20:21 /usr/sbin/traceroute6
itojun[tapioca:~] ls -l `find /usr/bin -perm 2555 -print` `find /usr/sbin -perm 2555 -print`
-r-xr-sr-x 4 root crontab 31796 Sep 12 20:20 /usr/bin/at
-r-xr-sr-x 4 root crontab 31796 Sep 12 20:20 /usr/bin/atq
-r-xr-sr-x 4 root crontab 31796 Sep 12 20:20 /usr/bin/atrm
-r-xr-sr-x 4 root crontab 31796 Sep 12 20:20 /usr/bin/batch
-r-xr-sr-x 1 root crontab 29512 Sep 12 20:20 /usr/bin/crontab
-r-xr-sr-x 1 root kmem 17672 Sep 12 20:20 /usr/bin/fstat
-r-xr-sr-x 1 root auth 7100 Sep 12 20:20 /usr/bin/lock
-r-xr-sr-x 1 root daemon 21872 Sep 12 20:21 /usr/bin/lpq
-r-xr-sr-x 1 root _lkm 5652 Sep 12 20:20 /usr/bin/modstat
-r-xr-sr-x 1 root kmem 117756 Sep 12 20:20 /usr/bin/netstat
-r-xr-sr-x 1 root auth 7580 Sep 12 20:20 /usr/bin/skeyaudit
-r-xr-sr-x 1 root auth 5072 Sep 12 20:20 /usr/bin/skeyinfo
-r-xr-sr-x 1 root auth 15640 Sep 12 20:20 /usr/bin/skeyinit
-r-xr-sr-x 1 root _sshagnt 55656 Sep 12 20:20 /usr/bin/ssh-agent
-r-xr-sr-x 1 root kmem 55316 Sep 12 20:20 /usr/bin/systat
-r-xr-sr-x 1 root kmem 31396 Sep 12 20:20 /usr/bin/vmstat
-r-xr-sr-x 1 root tty 10868 Sep 12 20:20 /usr/bin/wall
-r-xr-sr-x 1 root tty 8608 Sep 12 20:20 /usr/bin/write
-r-xr-sr-x 1 root daemon 33220 Sep 12 20:21 /usr/sbin/lpc
-r-xr-sr-x 1 root kmem 17484 Sep 12 20:21 /usr/sbin/pstat
-r-xr-sr-x 1 root kmem 9560 Apr 14 2002 /usr/sbin/trsp