2.5.2p2 ssh-keyscan installed group writable?

Jason Stone jason at dfmm.org
Wed Mar 28 12:24:32 EST 2001 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> SetUID binaries are *not* A Bad Thing.
> SetUID binaries are A Powerful Tool.

I don't want to get into a religious argument, but I think that on the
philosophical side, suid violates the idea that a user can only execute
code _as that user_, and on the practical side, suid binaries will
_always_ get you into trouble in the end because one or another of them
will _always_ have a buffer overrun, argument-parsing error,
system/library/race-condition error, etc.


>	It doesn't mean that the idea of SetUID
>	binaries is fundamentally flawed, since
>	there are sometimes things which cannot
>	be accomplished in any other feasible way.

You can always trivially use a client/server model with the server running
as root.  Done blindly, this can be as bad as suid, so I'm not suggesting
that you do this for everything - I'm just trying to illustrate that there
are alternatives (using xdm instead of a suid startx is the classic
example).  Perhaps more importantly, you have to ask yourself if the
functionality provided by the suid program warrants the risks.  On many
systems, I find the answer to be "no" for almost all the default suid
binaries.


> The correct answer for OpenSSH is, IMHO:
> 1.  Continue to support SetUID installation
> 	of the ssh client in order to
> 	support rsa-rhosts auth--but perhaps
> 	the default should transition over
> 	to non-SetUID (with a big warning note!)

It was certainly important in the beginning for ssh to be a drop-in
replacement for rsh, but I think that it's less true now.  I think it may
be acceptable to have ssh no be setuid by default and include a note in
the docs/manpage/config saying, "type 'chmod 4711 ssh' if you want to use
rsh."


> 2.  Install *all* executables (not just SetUID)
> 	as mode 511 (or 4511 if appropriate).
> 
> 	I know of at least one system where
> 	when given a user-level account on this
> 	supposedly-secure system, it took me
> 	less than 20 minutes to [...] take root.

I feel ambivalent on this one.  It would obscure stuff for you a little
bit, and every little bit helps, but the binaries are usually standard and
the user can get copies by other means, and smart users may have
legitimate uses for reading the binaries (I know that I frequently do).


 -Jason

 ---------------------------
 If the Revolution comes to grief, it will be because you and those you
 lead have become alarmed at your own brutality.         --John Gardner




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE6wUtkswXMWWtptckRArRgAKC2xKBNPDrgC7zYufEuFxrNGWe+RgCgwsu5
+kvWmcjo/jM6frOFSwM6+pE=
=89AQ
-----END PGP SIGNATURE-----

More information about the openssh-unix-dev mailing list