-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 28 Jul 1998, Todd Vierling wrote:

>On Wed, 29 Jul 1998, Dave Sainty wrote:
>
>: newsyslog is explicitly installed with BINOWN root.  This seems
>: pointless as it isn't setuid.  Is there a deeper meaning for this, or
>: is it just an oversight?
>
>This was changed in the interest of security a while ago (as were all other
>binaries using BINOWN):  installing trojans is far easier on systems where
>you may be able to get access as a user other than root and overwrite bins
>that aren't owned by root.

I hate to kick the embers back up, but isn't this really be an all
or nothing sort of thing?  I understand that newsyslog is owned by root
b/c it's in root's crontab, but if newsyslog, then why not compress(1),
which newsyslog exec()s (with a relative path, I might add)? Or how
about ls(1) or cat(1) which root execs daily?  Pretty soon you realise
that this only really buys you anything if you make root own everything,
which may be valid, but is not the same thing.

- -- 
				Jim Wise
				jwise@unicast.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQEVAwUBNb5aNRg+dMhCouwfAQETagf+LZ869eljBsDihaI8wfbs0X9lDU0hD+do
N5Pk4C/Imnaf8q+OuSVwZBe1NFvBDUgH3WVCoIdQrrdq660qC5EDTiRZWkHYdxUG
1hTbYXpPWUhwsgOJSV89HUjjrHa+iXy5N9aJFHFGEXPAxfBlVpD94XYfiUpO3c3o
C6kLxWrckE/oIu6bnteOJiF6EpUUYIPj0Y1DE6SLR5WfCofgR3XIESQj0n9jgsnq
543s+pGXoaq+10MsYdc59lwGFOly/QnSLHITEdMeZf0834oInXcIepca3H7FUsH/
ECCre2qOVIrNtpRGjDkxRmsPUFNikhTtS5rWgEXdktglesSwfRXg4Q==
=2vJ3
-----END PGP SIGNATURE-----