On Fri, Jun 22, 2012 at 07:15:25PM +0200, Julian H. Stacey wrote: > Jason Hellenthal wrote: > > > > On Fri, Jun 22, 2012 at 03:43:47PM +0200, Julian H. Stacey wrote: > > > Over use of Root seems Bad. > > > Our ownership scheme has degraded compared to early 1980s Unix, where > > > most bin & lib files & dirs were owned by bin, except for > > > - a few SUID bins that Needed root > > > - occasional administrator droppings, > > > temporary accidental files that glared at the eyeball, > > > as root, cos near all else was just bin. > > > > > > IMO very little in a system should be user root. > > > > > > Apologies, but to guide replies : > > > (after threads burnt by a troll on another list) > > > I'd not appreciate replies just along the lines of > > > "It has to be to satisfy existing software". > > > I'd much rather receive replies along lines of > > > "What would be best ownership scheme, advantages & > > > disadvantages + should we change anything ?" > > > > > > > It is not really clear why you would want to change the permissions of > > root:wheel of / on any of these. > > To Increase security. > More visual prompting of when juniot admins blunder& cerate > junk as root > A SUID with bin has less power than a SUID with uid=root > Currently every binary in the system is one bit away from the jackpot, > SUID root, why not convert most binaries to uid=bin, thenmost binaries > are 2 bits away from jackpot, more safety in event of a blunder too. > > > root is the owner of the system ... it > > Only because it currently is, & you'r used to it ;-) > Remember back a few decades, Think more deeply, Why do you think it > _needs_ to be ? Unix didnt used to Want that, it was usualy a blunder when > it occured. > > look at /etc/passwd > root: entry has the shell, > bin: entry is more limited, just has /sbin/nologin
Would not a 0:0 / (or all system directory entries) help limit the damage possible if a junior admin sets suid on a random, possibly bogus, bin:bin binary? -- Scott Lambert KC5MLE Unix SysAdmin lamb...@lambertfam.org _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
