Re: Protections on inetd (and /sbin/* /usr/sbin/* in general)

[Daniel C. Sobral]

"Michael R. Wayne" wrote:
> 
> Recommendation:
>    A number of the executables located in /sbin and /usr/sbin are
>    never going to be invoked for any legitimate use by anyone other
>    than the superuser.  In particular, servers such as portmap and
>    inetd run by non-root users are unlikely to do what was intended.
>    It seems a prudent measure to simply not set execute permission
>    by "other" on such programs during the install, giving the user
>    a handy "Permission denied" message when such an attempt is made.
> 
>    For those reading quickly, I am NOT recommending removing execute
>    permission on ALL of /sbin/* and /usr/sbin/*, only on programs
>    such as "portmap", "inetd", "lpd", "syslogd", "halt", "reboot"
>    and others which perform no useful function to normal users.
>    /sbin/init already enforces this condition, how about expanding it?

Setup jail instead.

-- 
Daniel C. Sobral                        (8-DCS)
[EMAIL PROTECTED]
[EMAIL PROTECTED]
[EMAIL PROTECTED]

                "There is no spoon." -- Kiki



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message