[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tightening root program modes

To: Matthew Patton <matthew.patton@ra.pae.osd.mil>
Subject: Re: tightening root program modes
From: Brian Somers <brian@Awfulhak.org>
Date: Thu, 11 Mar 1999 17:46:51 +0000
Cc: tech@openbsd.org

> Some of you may have seen the little thread on smtp(fwd)d being mode 500
> and why. The question is:
> 
> Does it make any sense (or even worth our while) to mark all programs
> that only root can possibly execute as mode 500 instead of the default
> 555? Yes, any program that gains increased security by virtue of going
> 500 is need of a rewrite. However, if only root is supposed to be
> running it, why even pretend that others can?
> 
> If touching root programs is not considered useful, what to do about
> smtpd and friends? Let it's currently unique situation continue? Or
> bring it into compliance with the rest of the system?

If a given program is not readable by non-root, root won't be able to 
execute it from an NFS filesystem by default (unless -maproot=0 is 
added to the export).

They should therefore be at least 544.

-- 
Brian <brian@Awfulhak.org> <brian@FreeBSD.org> <brian@OpenBSD.org>
      <http://www.Awfulhak.org>
Don't _EVER_ lose your sense of humour !

References:
- tightening root program modes
  - From: Matthew Patton <matthew.patton@ra.pae.osd.mil>

Prev by Date: Advansys driver
Next by Date: interactive performance patch from NetBSD
Prev by thread: Re: tightening root program modes
Next by thread: The Bulgarian Mirror???
Index(es):
- Date
- Thread