Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: Notesfiles $Revision: 1.6.2.17 $; site uokvax.UUCP
Path: utzoo!watmath!clyde!cbosgd!ihnp4!inuxc!pur-ee!uiucdcs!uokvax!jab
From: jab@uokvax.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Re: Findsuid source (Re: Security an
Message-ID: <6200047@uokvax.UUCP>
Date: Sun, 3-Feb-85 20:07:00 EST
Article-I.D.: uokvax.6200047
Posted: Sun Feb  3 20:07:00 1985
Date-Received: Wed, 6-Feb-85 04:22:47 EST
References: <327@lsuc.UUCP>
Lines: 23
Nf-ID: #R:lsuc:-32700:uokvax:6200047:000:1024
Nf-From: uokvax!jab    Feb  3 19:07:00 1985

/***** uokvax:net.unix-wizar / emks /  3:45 pm  Jan 29, 1985 */
Another problem with having a find-suid-programs program that runs based
on crontab entries is that anyone can see when the find-suid-programs
program is going to run next, and make their moves on that basis.

Perhaps /usr/lib/crontab should be mode 600...  But then one could always
check the last access time of the program, or look up the per-proc accounting.
/* ---------- */

There is a good argument for locking the "per process accounting" records,
since it was NONE OF YOUR BUSINESS what programs I run.

Any findsuid program needs to notice the MODIFICATION time of any of the
"permitted" files and report recently-changed binaries. There might also
be a good argument for disallowing setuid/setgid (for system ids) files
on non-system disks: this is a quick HACK to exec(2).

(Please don't flame the above suggestion as "non-portable": of course it's
not portable, but you change YOUR copy of the system to meet YOUR needs.)

	Jeff Bowles
	Lisle, IL