Re: /etc/utmp

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Peter Wemm: "Re: sendmail exploit script - resend"
• Previous message: Gregg Siegfried: "Re: shells refusing to run set[ug]id"
• In reply to: Pat Myrto: "Re: /etc/utmp"
• Next in thread: Icarus Sparry: "Re: /etc/utmp"

In <9403252218.AA14294@rwing.UUCP>  you write:
  I don't know of a specific patch, for this.  But the only REAL fix is
  to make the /etc/utmp file so it is not world-writeable.  That means,
  of course, fixing anything that must update it, other than login or init
  to run SUID root without creating a worse hole.  

To quote our President: "NO NO NO NO NO NO NO ..." :-)

Making things setuid root is almost always wrong.   Make a new group,
say group "utmp", and make anything that needs to deal with utmp
setgid utmp; similarly for mail, etc.  That way if you have something
that needs to do mail and utmp, you can just put it in multiple groups.
Similarly ps and friends should be setgid "kmem", and kmem should be
readable by group "kmem".  It's just the principle of least priveledge
applied to good old fashioned UNIX.

If our vendors did things this way out of the box, there would be far fewer 
things running as root on our systems, and far fewer security problems to
begin with.   [There are even schemes to make things like cron and at not 
have to be root (The user creates an executable setuid to them that cron
will run.)]

Okay, I'll get down off my soapbox now... But remember, next time you hear
someone suggets making something setuid root, see if you can deal with the
problem with a nice, separate group id, and setgid instead.

Marc

• Next message: Peter Wemm: "Re: sendmail exploit script - resend"
• Previous message: Gregg Siegfried: "Re: shells refusing to run set[ug]id"
• In reply to: Pat Myrto: "Re: /etc/utmp"
• Next in thread: Icarus Sparry: "Re: /etc/utmp"