/etc/shutdown permissions
Jim Rosenberg
jr at amanue.UUCP
Sun Nov 27 12:48:33 AEST 1988
In article <4272 at encore.UUCP> bzs at encore.com (Barry Shein) writes:
>From: jr at amanue.UUCP (Jim Rosenberg)
>>To be truthful, I can hardly believe in light of all the concern for security
>>prompted by the (apparently) Morris Worm that anyone would seriously propose
>>leaving 755 permissions on something like /etc/shutdown, for crying out loud!
>>The off-the-shelf permissions on the 7300 are probably the worst of any
>>commercially released UNIX box ever seen on the face of the earth. You should
>>give your machine a thorough going over.
>
>Jim, with all due respect, this is awful, panic-stricken advice...
>
>If shutdown can be run w/o being root then it should take a 5 line
>C-program to effect the same thing if you protect it. You are wholly
>dependent on the fact that some syscalls are root-only and if you
>can't rely on it you are SOL, no amount of running around shutting off
>permissions on files will protect you.
...
>All this kind of advice is doing is panicking people, making them
>waste their time doing things of questionable value and hence avoiding
>real issues (or at the very least burying it in a bad signal to noise
>ratio, distracting folks from understanding what they really need to
>do to get proper security on their system etc.)
...
>There are certainly ways to improve security *in general* by changing
>files to correct permissions, but let's get the list of correct,
>specific suggestions that actually will help before we start hearing
>"omigod i did as you said and made foo unexecutable and now i can't
>login/boot/compile [whatever]!!" etc and other incredible wastes of
>time.
Your points are certainly well-taken. I am more than willing to listen to
sage advice from someone with as much UNIX experience as you have that I may
be overreacting. But frankly I still stand by my general points, which are:
(1) Good security means defense in depth. It is *NOT* being paranoid or
panic-stricken to think of the permission system as the first line of defense,
to try to get those permissions correct. (2) I still fail to see the wisdom of
leaving o+x permissions on system administration commands -- unless there is
some special reason for doing so and the sysadmin knows what [s]he is is doing.
Of course the real protection is at the system call level. (2nd. line of
defense.) In the case of my disagreeable user, the fellow knew enough about
the UNIX permission system to know what to try to help himself to, but not
enough to be compiling programs that make system calls. Tightening permissions
was my way of telling him that I wasn't kidding. I could perfectly well turn
around your argument that the kernel won't let ordinary users do the dirty work
of shutdown [true] and say that making /etc/shutdown o-x won't make anything
break, either [also true].
Holy smokes, Barry, we're talking about a system that as delivered has a
setuid-root program with shell escapes that don't even change the effective uid
back to the real uid!! It *is* true that 7300/3b1 as delivered *DOES NEED* a
thorough going-over if it's to be put where security matters. That's been
widely discussed up here. If you charge me of not being very enlightening to
a novice system administrator as to how to do this, well I guess I'll plead
guilty on that one. It would be silly to swap accusations of overreacting vs.
underreacting -- now that would be *REAL* noise and no signal.
We had a request for help on /etc/shutdown. o+x won't succeed, o-x won't hurt.
Should we not, perhaps, help out some of those hundreds of fire-sale buyers
by trying to come to some kind of agreement on where the real 3b1/7300
weaknesses are?
--
Jim Rosenberg
CIS: 71515,124 decvax!idis! \
WELL: jer allegra! ---- pitt!amanue!jr
BIX: jrosenberg uunet!cmcl2!cadre! /
More information about the Unix-pc.general
mailing list