[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: suid




Ok, I give up. On the discussion. Because Slackware comes totally bare,
without even shadow passwords off a CD, and I have plans to do more than
just experiments on this. I still find that Slackware is the most
appropriate base material for ANY kind of changes done to Linux.

So, I'll probably come up with a scheme that is shadow but is not shadow
and hope to make most things that relate to a clean server work on it (no
X - maybe later).

And you can count on paranoid security. Why exactly do you think that I'd
like a machine that gives temporary guest accounts over the Internet,
unattended, to have a working compiler and a readable /etc/passwd ?!

And, how do you feel about having the whole /bin suid able, knowing the
number of applications in there. Any one of them could have a quirk and
allow someone in.

I nearly had a heart attack when I took the 1.2.13 kernel apart to see
where the linux-lp patch could be inserted and such, and I saw that the
thing tries to run /etc/init, /bin/init and only after that /sbin/init by
default ! Again your little beloved suid /bin, not to mention /etc,
neither of which contains a file called init by default, so someone could
somehow create one probably, in a hack.

You know, there were people out there who had Linux machines online, and
invited people to come and use the machines from a telnet account just for
laughs. They probably checked the security of their systems in that funny
way (I DON'T think that someone can be so lonely as to learn UNIX and set
up a Linux box for the purpose of strange people doing grafiti in their
file-systems).

As to the power switch security option, I'll pass. Waking up a modem from
a living death is complicated enough to warrant such violent action,
though. For some strange reason all modems seem to be perturbed by command
sequences interrupted abruptly in some way or other, and mine hangs solid
with the phone line open in this case, if this happens. I will end up
wiring a relay to its reset line, and to a free printer port bit... 

Peter