[921] in bugtraq
Re: Request for discussion.
daemon@ATHENA.MIT.EDU (Timothy Newsham)
Mon Feb 6 22:39:25 1995
From: newsham@aloha.net (Timothy Newsham)
To: rthomas@pamd.cig.mot.com (robert owen thomas)
Date: Mon, 6 Feb 1995 15:03:13 -1000 (HST)
Cc: newsham@aloha.net, bugtraq@fc.net
In-Reply-To: <9502061058.ZM13365@pamd.cig.mot.com> from "robert owen thomas" at Feb 6, 95 10:58:00 am
> == - collect suid programs into common directory, or perhaps
> == a seperate directory for uid/gid. (both in src and bin form).
> == rationale: Increase awareness of security critical programs.
> == Make it easier to check all suid programs at once.
> difficult for administration, particularly when patching or updating a package
> akin to smail. suggestion: run find with a -exec sum option. collect and
> store in a truly safe place (e.g. a floppy disk). set up cron to run a
> comparison job (e.g. run find for suid/sgid, perform sum, mount floppy,then
> compare). perhaps link suid/sgid binaries to a common, *hidden* directory
> for easy reference? use soft links to avoid easy detection.
You are addressing my post as if these were things I'd like done
to a single machine. Rather this is my wishlist for "the way
I'd like to see things done". When I say seperate suids I mean
I'd like the default suid binaries to all be in one directory,
and their sources in another. I think "real" systems will always
have a /usr/local that doesn't quite follow the same layout as
their base system.
> == - database of priveledged programs and dependencies. Ie config
> == files, temp files, directories, databases, etc.
> == rationale: Keep track of assumptions in security critical programs.
> == Avoid holes that arise out of changing an assumption (example
> == making utmp world readable). Make it easier for automated
> == checks (ie. world writeable directories like preserve and
> == msgs).
> i like this. in fact, i stress such things when i perform security audits.
> caveat: do *NOT* store this database on-line. perhaps set up a secure,
> stand-alone machine (be cheesy: ifconfig down) for storage of security
> info.
I think making this public knowledge will give the best results in
the end. If this was a setup for a single system or group of
systems then hiding any security auditing you've done might
be a good idea.
> == - system list of users allowed to use suid and sgid. Suid
> == binaries not run if file owner not allowed to use suid/sgid.
> == rationale: reduce the ability to store priveledge on a filesystem.
> users would not be able to send mail. users would not be able to rlogin/remsh.
> this is too sweeping a gesture, although the intent is good. suggestion:
> write wrapper binaries around the suid/sgid commands. log activity. makes
> a nice complement to some of the daemon wrappers.
Ugh. I didn't state this clearly. Please read my response posted to
usenet.
> very good thoughts. enjoy good horror stories? read the Morris and Bellovin
> papers. the idea above needs no more support than that.
read them quite a while ago.
> o robert owen thomas: Unix consultant. MAILER-DAEMON. user scratching post. o
