Subject: Re: Removing dm(1)
To: Curt Sampson , matthew green <mrg@eterna.com.au>
From: After 5 PM please slip brain through slot in door. <greywolf@starwolf.starwolf.com>
List: tech-security
Date: 11/22/1997 00:32:28
This may well have been answered, but here goes:

Curt Sampson sez:
/*
 * On Wed, 19 Nov 1997, matthew green wrote:
 * 
 * > can not most of this problem be solved by making all the games owned
 * > by root.wheel, rather than games.bin ?
 * 
 * Then all the games would be suid root. :-) But as others have
 * pointed out, we can probably minimise the risk by making games
 * setgid.
 * 
 * > personally, i want to do that
 * > for *all* installed programs also...  i *really* don't understand the
 * > concept of a `bin' account or group, when it comes to security issues.
 * 
 * I don't actually understand this either. Can anyone explain it?

I think the idea is to have things groupable for easy categorization,
but the primary reasoning -- as I understand it -- is that group 'bin'
does not grant any real special priveleges as 'wheel' does:  If you
don't have a way to be in group "wheel", you can't even ATTEMPT to su
to root.

And while it may look like a straw man given su's other security/logging,
it is something to take into account.

Personally, I *like* the idea of "groupifying" things: bin for the binary
snapshot (but, then, what is "sys" for?), kmem for memory, tty for ttys,
operator for tape/disk devices (though we'd do reasonably well to make
tapes generally writeable, since most systems are workstations these
days, and not servers), games for games.

I've forgotten, is there a group "wsys" in general, or is this something
I did to my own system?  I use it for "working system", i.e. an area
in which to do development/work/updating (Yes, I work on live source
trees).  My entire /sys tree is group wsys (perhaps I use "sys" for the
other system sources, or is that "staff"?).

I can see where all the groups would become problematic, but properly
used, they can be a boon.

I hope I answered the original question in there, somewhere :-).

 * 
 * cjs
 * 
 * Curt Sampson    cjs@portal.ca	   Info at http://www.portal.ca/
 * Internet Portal Services, Inc.	   Through infinite myst, software reverberates
 * Vancouver, BC  (604) 257-9400	   In code possess'd of invisible folly.
 * 
 */





				--*greywolf;
--
Microsoft:  Living proof that Borg screw Ferengi.