Re: Partial Solution to SUID Problems

[Ciro <domino () asgardnet org>]

On Thu, 4 Dec 2003, Gino Thomas wrote:

> I asked some ppl the same question, answers vary. On one hand some ppl
> trust the suids and claim that messing up with them will open new
> problems and that there are also many other ways to get root (kernel,
> libc, daemons,...) on the other hand ppl agreed with me that if i don't
> need uucp, why should it be on my box anyway (and that suid or sgid).
> As said, i disabled all suids except 'su', so a user can't use
> 'netstat', 'ping' or even 'man' anymore, but i do not want that on a
> bastion host anyway, eh? Mounting whats left on a separate partition
> seems to be as logical as doing that for /home, /tmp,...
>
> I would like to see a detailed discussion about this, too.

The thing that screams "bad idea" or at least "inconvienient pain in the
neck" to me is that, on the off chance that a wide-spread exploit is
found and you have to "make world" or whatever, it puts them right back
and you have to do it again.

Of course, I'm a perl scripter, so by definition I'm lazy[0] ;)

-C

[0]Larry Wall said it, not me. <g>


"Why would burgulars need to look for a backdoor when they can climb in
through Windows?" --Norman L DeForest, in NANAE
"You know how dumb the average luser is? Well, half of 'em are dumber
than that" -- The Roadie, in NANAE

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html