, matthew green <mrg@eterna.com.au>
From: After 5 PM please slip brain through slot in door. <greywolf@starwolf.starwolf.com>
List: tech-security
Date: 11/22/1997 00:32:28
This may well have been answered, but here goes:
Curt Sampson sez:
/*
* On Wed, 19 Nov 1997, matthew green wrote:
*
* > can not most of this problem be solved by making all the games owned
* > by root.wheel, rather than games.bin ?
*
* Then all the games would be suid root. :-) But as others have
* pointed out, we can probably minimise the risk by making games
* setgid.
*
* > personally, i want to do that
* > for *all* installed programs also... i *really* don't understand the
* > concept of a `bin' account or group, when it comes to security issues.
*
* I don't actually understand this either. Can anyone explain it?
I think the idea is to have things groupable for easy categorization,
but the primary reasoning -- as I understand it -- is that group 'bin'
does not grant any real special priveleges as 'wheel' does: If you
don't have a way to be in group "wheel", you can't even ATTEMPT to su
to root.
And while it may look like a straw man given su's other security/logging,
it is something to take into account.
Personally, I *like* the idea of "groupifying" things: bin for the binary
snapshot (but, then, what is "sys" for?), kmem for memory, tty for ttys,
operator for tape/disk devices (though we'd do reasonably well to make
tapes generally writeable, since most systems are workstations these
days, and not servers), games for games.
I've forgotten, is there a group "wsys" in general, or is this something
I did to my own system? I use it for "working system", i.e. an area
in which to do development/work/updating (Yes, I work on live source
trees). My entire /sys tree is group wsys (perhaps I use "sys" for the
other system sources, or is that "staff"?).
I can see where all the groups would become problematic, but properly
used, they can be a boon.
I hope I answered the original question in there, somewhere :-).
*
* cjs
*
* Curt Sampson cjs@portal.ca Info at http://www.portal.ca/
* Internet Portal Services, Inc. Through infinite myst, software reverberates
* Vancouver, BC (604) 257-9400 In code possess'd of invisible folly.
*
*/
--*greywolf;
--
Microsoft: Living proof that Borg screw Ferengi.