Subject: Re: misc/143: Setuid programs installed unreadable
To: Peter Galbavy <peter@wonderland.org>
From: None <Mark_Weaver@brown.edu>
List: netbsd-bugs
Date: 03/01/1994 09:43:29
> > > as for 'crontab' some would argue that making it readable is OK,
> > > but i think leaving it unreadable is a reasonable security measure to
> > > take.
> >
> > I don't get it. Since anyone can FTP the source to these things, how does
> > making the binaries unreadable help?
>
> I have to second this. I think security through obscurity is great
> with the non-technical, but just let a student at them... If everything
> is readable, then there is nothing to "hide" and people (me for one)
> feel less inclinded to worry about hidden bugs.
I disagree. Consider an automated attack that analyzes setuid
binaries for security holes. It is quite feasible.
Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science
------------------------------------------------------------------------------