Re: How Debian Linux could be made more secure

To: debian-devel@lists.debian.org
Cc:
Subject: Re: How Debian Linux could be made more secure
From: Andreas Jellinghaus <aj@dungeon.inka.de>
Date: Wed, 29 Apr 1998 11:29:20 +0200
Message-id: <[🔎] E0yUTB2-0000Sh-00@dungeon.inka.de>
In-reply-to: <[🔎] 19980428165045.A14460@sobolev.rhein.de>

i agree with you.

a) every package should use suidmanager if it needs a 1000 2000 or 4000 bit.
b) every package should document why it uses this special permission in 
	/usr/doc/<package>/Security.Note (or README.Debian ?).
c) security should be more important than functionality or featurism.
	remove the damned suid bit from all svgalib programs.
	everyone can use sudo or something like that ...

>- The Debian Installer should check for every package, if
>  all suid binaries contained therein have an entry in
>  that list.  If a binary fails to have been registered,
>  the Installer should complain loudly to the package
>  maintainer.

not a good idea. remove all special permissions from all files, and use sudo.
guy could add a hook to his scripts on master, and reject all packages with
suid/sgid permissions. it's a very easy thing.

debian should do this, and not move the work to sysadmins.

>- /usr/sbin/checksecurity should compare the clearance
>  list to the installed system and loudly complain to the
>  system administrator if it finds any differences.

i agree. but /etc/suid.conf is fine, why an additional list ?

>- Additionally, the postinst script of that package itself
>  should perform the same check and complain loudly.

double and tripple checks ? why ?

[list of questions]
 - what will happen, if the program has not the sgid/suid bit ?

>As time proceeds, tools for (e.g.) testing for buffer
>overflows should be made available.  Their application by
>package maintainers should be required.

yes. but also every sgid/suid bit that is not necessary should be removed.
for example : all svgalib games. everyone should use sudo or sometghing like 
that so he can restrict the access to a few trusted users.

>As an additional level of "certification", packages may be
>tagged "insecure"

a package may not be insecure. either you install it in a secure way
(e.g. svgalib games _not_ suid root), and tell the sysadmin how he
can use it, and what risks he will have, or drop the package art all.

security is more important than functionality or featurism.

please start now :
 - document every sgid/suid bit
 - use suidmanager, so a sysadmin can turn something off
 - defaults settings should always reflect the secure setting,
 	even if this breaks functionality. README.Debian should then
	tell how to enable some feature, and that this is insecure

christian, did you count how often this was proposed ?

i know, that some people do not like suidmanager, and so they don't use it.
they should be forces to use it, or write something better.

andreas


--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: How Debian Linux could be made more secure
  - From: Thomas Roessler <roessler@guug.de>

References:
- How Debian Linux could be made more secure
  - From: Thomas Roessler <roessler@guug.de>

Prev by Date: Re: Lilo..
Next by Date: Re: Lilo..
Previous by thread: Re: How Debian Linux could be made more secure
Next by thread: Re: How Debian Linux could be made more secure
Index(es):
- Date
- Thread