Re: / owned by bin causes sshd to complain bad ownership

Fri, 22 Jun 2012 11:14:19 -0700 

On 6/22/12 1:15 PM, Julian H. Stacey wrote:

Jason Hellenthal wrote:

It is not really clear why you would want to change the permissions of
root:wheel of / on any of these.

To Increase security.
        More visual prompting of when juniot admins blunder&  cerate
        junk as root
        A SUID with bin has less power than a SUID with uid=root
        Currently every binary in the system is one bit away from the jackpot,
        SUID root, why not convert most binaries to uid=bin, thenmost binaries
        are 2 bits away from jackpot, more safety in event of a blunder too.

SUID binaries are one issue.  The directory '/' is not a SUID binary.
The issue for sshd is ownership of the directory '/'.


root is the owner of the system ... it

Only because it currently is,&  you're used to it ;-)
Remember back a few decades, Think more deeply, Why do you think it
_needs_ to be ? Unix didnt used to Want that, it was usually a
blunder when it occured.

        look at /etc/passwd
                root: entry has the shell,
                bin: entry is more limited, just has /sbin/nologin

The question is WHY did FreeBSD switch to promote everything to root ?
That it did so Way back proves nothing,
Cos further back Unix was bin.

At one time I read that having directories/files owned by root was a
security benefit when considering the -maproot=<x> for NFS exports.
All unix systems recognize UID=0 means root, and there is no other
UID which all unix systems agree on.  Disclaimer:  I rarely use NFS,
so I don't really pay attention to the details.  I may have the wrong
idea for what the advantage is, but it was some kind of connection
with UID=0 and NFS exports or imports.

I don't think you have shown any benefit by having directories owned
by bin instead of root.  I think the check in sshd is fine as it is.

--
Garance Alistair Drosehn            =   g...@gilead.netel.rpi.edu
Senior Systems Programmer           or  g...@freebsd.org
Rensselaer Polytechnic Institute    or  dro...@rpi.edu

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Reply via email to