[248] in linux-security and linux-alert archive
Should root own binaries?
daemon@ATHENA.MIT.EDU (Thomas Koenig)
Sun May 28 08:04:05 1995
To: jsdy@cais.cais.com (Joseph S. D. Yao)
Date: Fri, 26 May 1995 16:32:56 +0200 (MET DST)
Cc: shields@tembel.org, Thomas.Koenig@ciw.uni-karlsruhe.de,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199505251927.PAA23313@cais2.cais.com> from "Joseph S. D. Yao" at May 25, 95 03:27:18 pm
From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
> From: Thomas.Koenig@ciw.uni-karlsruhe.de (Thomas Koenig)
> > Ugh... they should not be. Unless some system binary needs to be setuid
> > to a particular userid, it should ALWAYS be owned by root, for exactly
> > this reason.
>
> I'm afraid that I must respectfully but strongly disagree with the last
> conclusion.
>
> I hold it as a strong security tenet that nothing on the file system
> should be owned by root. Absolutely nothing at all. Unless, of
> course, it will not work otherwise.
There is one case when this is absolutely needed: If you export your
files via NFS, they should be root - owned; otherwise every host
you export them to can modify them.
Yes, there's a readonly option; no, it doesn't always work (Linux nfsd
before version 2.1 was one example; unfortunately, there are others).
> Why is this? I have two primary reasons.
>
> The first reason is to discourage, as much as possible, the practice
> some people have of doing ALL system maintenance work as the super-user.
Well, I trust myself enough to do this :-)
[...]
> to change all files and directories owned by
> root - unless I can be persuaded otherwise - to some other user, typi-
> cally "bin" (or "sys").
Do these accounts have passwords, or do you reach them via su from
root only?
Do ANY programs run as these users, daemons, for example (the way
Slackware is set up, atrun runs as bin most of the time; any programming
error in atrun might lead to breaking into the bin account, and then
modifying your system binaries)?
Do you use NFS?
> The second reason is to discourage the writing of programs that
> "really, absolutely, HAVE to be" setuid-root.
That's an entirely different kettle of fish. I am talking about, for
example, wether /bin/ls should be 755, and owned by root, or 755,
and owned by bin.
> It is absolutely true that, if someone cracks the "bin" account, they
> would then (under this arrangement) be in a good position to get full
> control of the system.
Yes, precicely.
> Note that they would not have full control of
> the system immediately, as they would if they were to crack the "root"
> account.
I wouldn't take long, though.
>The solution, though, is to protect ALL system accounts, be
> they "root", "bin", "sys", "field" [if such exist], or whatever.
Protect them how, exactly? Replace their password entry with '*'? :-)
--
Thomas Koenig, Thomas.Koenig@ciw.uni-karlsruhe.de, ig25@dkauni2.bitnet.
The joy of engineering is to find a straight line on a double
logarithmic diagram.
