unix security program

der Mouse mouse at Larry.McRCIM.McGill.EDU
Tue Jun 14 04:17:38 AEST 1988 

In article <10102 at mcdchg.UUCP>, jona at moss.ATT.COM (Jon M. Allingham) writes:
> In article <7971 at mcdchg.UUCP> usenet at mcdchg.UUCP writes:
>> The permissions check program requires you to set up a list of
>> permissions, the ones given are not the most secure, for example:
>> /bin	555	dr-xr-xr-x
>> If you want security why let users cd to or ls /bin, better to set
>> the permissions :
>> /bin	111	d--x--x--x

If you want security you don't want UNIX.  If you must have UNIX and
you want to come as close as you can, there are many other things to
mess with before worrying about users being able to cd to /bin.  Tell
me, what are you afraid they'll do once they're there?

> I would be very annoyed if I couldn't do an ls on /bin (etc.), that
> would also mean that programs such as "whereis" (search through your
> path to find an executable) wouldn't work either [...]

I'd be annoyed too.  But, not to defend mode 111 for /bin or anything,
a program that runs along your path looking for an executable will work
perfectly well if the directories are mode 111.  After all, the shell
itself does precisely this when you type a command name.  (The csh
hashes, yes, but that's a detail.)  The point is that if you know the
name of the file you're looking for, the directory need only permit
execute access, regardless of what you want to do with the file itself.

> (unless [...] a suid group bin [...]... we don't really need more
> suid programs either.)

If you want security I don't think you can use the traditional setuid
mechanisms.  Almost no programs are sufficiently paranoid that they can
safely be made setuid, and even in the few cases when the author(s)
thought of everything, the available facilities are usually too weak to
provide real security.  A discussion of access() in some other group
(comp.unix.wizards?  I think that was it) batted this around and more
or less concluded this some time ago....

					der Mouse

			uucp: mouse at mcgill-vision.uucp
			arpa: mouse at larry.mcrcim.mcgill.edu

More information about the Comp.unix mailing list