[753] in linux-security and linux-alert archive
Re: [linux-security] standard users,groups,perms?
daemon@ATHENA.MIT.EDU (Maarten Ballintijn)
Thu Jun 6 13:22:21 1996
From: Maarten Ballintijn <maartenb@nicetech.com>
To: jsdy@cais.cais.com (Joseph S. D. Yao)
Date: Thu, 6 Jun 1996 14:02:33 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199606051931.PAA24605@cais2.cais.com> from "Joseph S. D. Yao" at Jun 5, 96 03:31:03 pm
Hi,
"Joseph S. D. Yao wrote:"
> > I'm not sure that there is a need for so many system users or groups
> > (eg. why would I have certain files/directories owned by a specific
> > non-root user and not root?) Could somebody critique this?
>
> I always insist that absolutely nothing at all whatsoever on the file
> system be owned by root. Nothing. At all. Unless there is no other
> way to do it (whatever the "it" might be). There should be a small set
> of accounts whose passwords are protected equally as well as root's,
> that are used for maintaining the various parts of the system. These
> would be, e.g., bin, sys, adm, daemon, kmem, mail, uucp, lp, games,
> field, etc. Directories and files - ESPECIALLY setuid programs (and
> more of those should be setgid) - should be owned by one of these, and
> NOT by root. This would reduce immensely the number of times that it
> would be "necessary" to be root to perform some task or other; and thus
> the number of windows of opportunity for certain types of attack - and
> for simple mistakes.
>From a security point of view I do not think this is a wise guideline.
By introducing more accounts the number of weak links is increased,
there is less support from the kernel to protect these accounts, an
people are more careless ``because it is not the root account''
A small example, if /, /bin, /etc, /lib are not owned by root, then the
uid owning these dirs (and there are many more) is equivalent with
the root account. The cops package was based on this chaining principle
already many years ago.
> [ANECDOTE WITH A RELATED POINT, I THINK]
>
> Recently, at a site whose administrator is in our local SAGE chapter,
> someone's helper edited the /etc/password file and accidentally altered
> the super-user password. The /etc/password file was owned by root. It
> couldn't be fixed without resorting to booting a stand-alone system in
> a memory disk from the installation media. That took a while - and an
> appeal to the mailing list - to come up with. Needless.
What is the point ? do not let someone's helpers cousin's neighbors edit
your password file :-)
Regards,
Maarten Ballintijn.