Re: How Debian Linux could be made more secure

To: debian-devel@lists.debian.org
Subject: Re: How Debian Linux could be made more secure
From: Thomas Roessler <roessler@guug.de>
Date: Wed, 29 Apr 1998 12:05:56 +0200
Message-id: <[🔎] 19980429120556.A11331@sobolev.rhein.de>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] E0yUTB2-0000Sh-00@dungeon.inka.de>
References: <[🔎] 19980428165045.A14460@sobolev.rhein.de> <[🔎] E0yUTB2-0000Sh-00@dungeon.inka.de>

On Wed, Apr 29, 1998 at 11:29:20AM +0200, Andreas Jellinghaus wrote:

> a) every package should use suidmanager if it needs a 1000 2000 or 4000 bit.
> b) every package should document why it uses this special permission in 
> 	/usr/doc/<package>/Security.Note (or README.Debian ?).

Make it an extra file.

> c) security should be more important than functionality or featurism.

YES.

> >- The Debian Installer should check for every package, if
> >  all suid binaries contained therein have an entry in
> >  that list.  If a binary fails to have been registered,
> >  the Installer should complain loudly to the package
> >  maintainer.

> not a good idea. remove all special permissions from all
> files, and use sudo. guy could add a hook to his scripts
> on master, and reject all packages with suid/sgid
> permissions. it's a very easy thing.

Not really.  Administrators may decide not to rely on the
security of sudo, but on a few well-defined programs which
can be run suid root (things like /bin/passwd).  There are
some places where perm & 07000 != 0 is needed or ok.

> >- /usr/sbin/checksecurity should compare the clearance
> >list to the installed system and loudly complain to the
> >system administrator if it finds any differences.

> i agree. but /etc/suid.conf is fine, why an additional list ?

The /etc/suid.conf has the local system administrator's
and the package maintainer's view of things.  The
clearance list contains a different view which is based on
the clearance procedure, and recent bug reports.  Think of
it as a way to distribute security knowledge to users.

> >- Additionally, the postinst script of that package itself
> >should perform the same check and complain loudly.

> double and tripple checks ? why ?

Think of an environment with lots of packets, where the
administrator decides to update some of them, including
the clearance list.  He will then get warnings about
security problems on his system which may come from
recentyl discovered breaches, or from configuration
errors.

> [list of questions]
>  - what will happen, if the program has not the sgid/suid bit ?

ACK.

> yes. but also every sgid/suid bit that is not necessary
> should be removed.

Certainly.

> i know, that some people do not like suidmanager, and so they don't use it.
> they should be forces to use it, or write something better.

ACK.

tlr
-- 
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
     2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1

--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: How Debian Linux could be made more secure
  - From: Andreas Jellinghaus <aj@dungeon.inka.de>

References:
- How Debian Linux could be made more secure
  - From: Thomas Roessler <roessler@guug.de>
- Re: How Debian Linux could be made more secure
  - From: Andreas Jellinghaus <aj@dungeon.inka.de>

Prev by Date: Re: X and Window Mangers
Next by Date: Re: X and Window Mangers
Previous by thread: Re: How Debian Linux could be made more secure
Next by thread: Re: How Debian Linux could be made more secure
Index(es):
- Date
- Thread