Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!brl-adm!adm!swa@COMET.LCS.MIT.EDU From: swa@COMET.LCS.MIT.EDU (Steven Augart) Newsgroups: comp.unix.wizards Subject: /etc/rc, security ... Message-ID: <7038@brl-adm.ARPA> Date: Wed, 22-Apr-87 03:30:49 EST Article-I.D.: brl-adm.7038 Posted: Wed Apr 22 03:30:49 1987 Date-Received: Thu, 23-Apr-87 05:18:21 EST Sender: news@brl-adm.ARPA Lines: 34 From: The Perplexed Wiz Date: 21 Apr 87 23:38:31 GMT In article <623@rna.UUCP> dan@rna.UUCP (Dan Ts'o) writes: > I did a PS on our 4.2BSD system today and found extra copies of >/etc/update, cron and a few other running, owned by one of our users. I am >surprised that all sorts of system daemons are executable by non-root uids. >I know I could go through each one a chmod them but it seems strange to me >that the system would be distributed in this manner. I think this was discussed on the net not too long ago....but.... It seems that BSD releases are full of weird security holes as delivered. I know I spent weeks closing up holes in Ultrix (a mutation of 4.2bsd) before I was willing to have more than a few "real" users use the VAX. I guess the UCB folks are not too concerned with security...Maybe each person has their own VAX or Sun... :-) ....todd In what way does /etc/update or /etc/cron being world-executable constitute a security hole? After all, any user can write a program that does the same thing that cron or update does, and then run it themselves. Having /etc/cron or /etc/update executable only means that a user can run it without having to write one of their own. Anybody who tries to run programs out of /etc without knowing what they do deserves what they get, anyway... the only "security" problem is that by running these things they'll slow down the system slightly by creating more work for it to do. SWA