Path: utzoo!utgpu!watmath!uunet!xanth!mcnc!uvaarpa!haven!uflorida!ukma!cwjcc!mailrus!ames!killer!gladys!bakerst!cgh!amanue!jr From: jr@amanue.UUCP (Jim Rosenberg) Newsgroups: unix-pc.general Subject: Re: /etc/shutdown permissions Message-ID: <435@amanue.UUCP> Date: 27 Nov 88 02:48:33 GMT References: <234@safari.UUCP> <1349@umbc3.UMD.EDU> <426@amanue.UUCP> <4272@encore.UUCP> Reply-To: jr@amanue.UUCP (Jim Rosenberg) Distribution: unix-pc Organization: Amanuensis Inc., Grindstone, PA Lines: 69 In article <4272@encore.UUCP> bzs@encore.com (Barry Shein) writes: >From: jr@amanue.UUCP (Jim Rosenberg) >>To be truthful, I can hardly believe in light of all the concern for security >>prompted by the (apparently) Morris Worm that anyone would seriously propose >>leaving 755 permissions on something like /etc/shutdown, for crying out loud! >>The off-the-shelf permissions on the 7300 are probably the worst of any >>commercially released UNIX box ever seen on the face of the earth. You should >>give your machine a thorough going over. > >Jim, with all due respect, this is awful, panic-stricken advice... > >If shutdown can be run w/o being root then it should take a 5 line >C-program to effect the same thing if you protect it. You are wholly >dependent on the fact that some syscalls are root-only and if you >can't rely on it you are SOL, no amount of running around shutting off >permissions on files will protect you. ... >All this kind of advice is doing is panicking people, making them >waste their time doing things of questionable value and hence avoiding >real issues (or at the very least burying it in a bad signal to noise >ratio, distracting folks from understanding what they really need to >do to get proper security on their system etc.) ... >There are certainly ways to improve security *in general* by changing >files to correct permissions, but let's get the list of correct, >specific suggestions that actually will help before we start hearing >"omigod i did as you said and made foo unexecutable and now i can't >login/boot/compile [whatever]!!" etc and other incredible wastes of >time. Your points are certainly well-taken. I am more than willing to listen to sage advice from someone with as much UNIX experience as you have that I may be overreacting. But frankly I still stand by my general points, which are: (1) Good security means defense in depth. It is *NOT* being paranoid or panic-stricken to think of the permission system as the first line of defense, to try to get those permissions correct. (2) I still fail to see the wisdom of leaving o+x permissions on system administration commands -- unless there is some special reason for doing so and the sysadmin knows what [s]he is is doing. Of course the real protection is at the system call level. (2nd. line of defense.) In the case of my disagreeable user, the fellow knew enough about the UNIX permission system to know what to try to help himself to, but not enough to be compiling programs that make system calls. Tightening permissions was my way of telling him that I wasn't kidding. I could perfectly well turn around your argument that the kernel won't let ordinary users do the dirty work of shutdown [true] and say that making /etc/shutdown o-x won't make anything break, either [also true]. Holy smokes, Barry, we're talking about a system that as delivered has a setuid-root program with shell escapes that don't even change the effective uid back to the real uid!! It *is* true that 7300/3b1 as delivered *DOES NEED* a thorough going-over if it's to be put where security matters. That's been widely discussed up here. If you charge me of not being very enlightening to a novice system administrator as to how to do this, well I guess I'll plead guilty on that one. It would be silly to swap accusations of overreacting vs. underreacting -- now that would be *REAL* noise and no signal. We had a request for help on /etc/shutdown. o+x won't succeed, o-x won't hurt. Should we not, perhaps, help out some of those hundreds of fire-sale buyers by trying to come to some kind of agreement on where the real 3b1/7300 weaknesses are? -- Jim Rosenberg CIS: 71515,124 decvax!idis! \ WELL: jer allegra! ---- pitt!amanue!jr BIX: jrosenberg uunet!cmcl2!cadre! /