The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

suid programs and security

On Sat, 15 Feb 1997, Dan Stromberg wrote:

> Dale Scheetz wrote:
> > 
> > On Sat, 15 Feb 1997, John Goerzen wrote:
> > 
> > > On Tue, 11 Feb 1997, Dale Scheetz wrote:
> > >
> > > > Seems to me that the proper way to prioritize testing should be based on
> > > > the technical needs of the system. We already have these priorities for
> > > > packages in the system and it is my intention to use these priorities as
> > > > testing priorities as well. OK?
> > >
> > > Well, do it as you wish.  My thought here is that there are some programs
> > > that run as root (either setuid to root or are started as root, like init,
> > > mgetty, and SVGALib programs).  Any problem in these packages could be
> > > much more serious than the same problem in a different package.
> > >
> > > It is for this reason that I say that programs that run as root need to be
> > > examined more critically.
> > >
> > These sound like good technical reasons.
> > Is there an easy way to identify all the suid programs?
> > 
> > Thanks,
> 
> If you have all packages installed:
> 
> find / -fstype nfs -prune -o -perm +04000 -ls

I had done some big administration on my system this weekend and find a 
lot of programs who dont register their suid bits throw suidregister 
(especially games). This should be a must on the distribution, as for a 
check option on suidregister who check not register suid programs. Some 
programs too look as having dangerous settings, like nethack who is
 6775 root.games... and emacs movemail who is 6755 root.mail. Having it 
just 4755 looks to work well for me. Sorry, with my system out of line, I 
couldn't report all bugs but this can be check easily as you see.

I would like to know if their people out there wanting to work on a 
"especially secure" distribution of Debian? It will be base on the free 
packages (including non-us) around there, carefully choice and tested to 
give a more secure debian system. *EXAMPLES* of main lines:

* Packages must be certified by a special key.
* Support of shadow and may be PAM
* Support of cfs/tcfs on the system.
* Special configuration to allow more security.
* Special support of firewall
* Special cron jobs to check if the system wasn't compromised (sorry I 
can't find a more accurate word)
* Warn about installation of unsecure software (such as doom, or 
some shell without security certification)
* Special security support (including releasing us own security patch and 
comments)

They're just examples and I'm really *not* a security expert but I would 
like to be part of this project if they're one. May be can we get a C3 
authentification *with* network. CFS is surely more secure then other 
*supposely* secured FS ;).




--
Please respect the confidentiality of material on the debian-private list.
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-private-REQUEST@lists.debian.org . Trouble? e-mail to Bruce@Pixar.com