> == - collect suid programs into common directory, or perhaps > == a seperate directory for uid/gid. (both in src and bin form). > == rationale: Increase awareness of security critical programs. > == Make it easier to check all suid programs at once. > difficult for administration, particularly when patching or updating a package > akin to smail. suggestion: run find with a -exec sum option. collect and > store in a truly safe place (e.g. a floppy disk). set up cron to run a > comparison job (e.g. run find for suid/sgid, perform sum, mount floppy,then > compare). perhaps link suid/sgid binaries to a common, *hidden* directory > for easy reference? use soft links to avoid easy detection. You are addressing my post as if these were things I'd like done to a single machine. Rather this is my wishlist for "the way I'd like to see things done". When I say seperate suids I mean I'd like the default suid binaries to all be in one directory, and their sources in another. I think "real" systems will always have a /usr/local that doesn't quite follow the same layout as their base system. > == - database of priveledged programs and dependencies. Ie config > == files, temp files, directories, databases, etc. > == rationale: Keep track of assumptions in security critical programs. > == Avoid holes that arise out of changing an assumption (example > == making utmp world readable). Make it easier for automated > == checks (ie. world writeable directories like preserve and > == msgs). > i like this. in fact, i stress such things when i perform security audits. > caveat: do *NOT* store this database on-line. perhaps set up a secure, > stand-alone machine (be cheesy: ifconfig down) for storage of security > info. I think making this public knowledge will give the best results in the end. If this was a setup for a single system or group of systems then hiding any security auditing you've done might be a good idea. > == - system list of users allowed to use suid and sgid. Suid > == binaries not run if file owner not allowed to use suid/sgid. > == rationale: reduce the ability to store priveledge on a filesystem. > users would not be able to send mail. users would not be able to rlogin/remsh. > this is too sweeping a gesture, although the intent is good. suggestion: > write wrapper binaries around the suid/sgid commands. log activity. makes > a nice complement to some of the daemon wrappers. Ugh. I didn't state this clearly. Please read my response posted to usenet. > very good thoughts. enjoy good horror stories? read the Morris and Bellovin > papers. the idea above needs no more support than that. read them quite a while ago. > o robert owen thomas: Unix consultant. MAILER-DAEMON. user scratching post. o