/ owned by bin causes sshd to complain bad ownership

Garance A Drosehn gad at FreeBSD.org
Fri Jun 22 18:12:28 UTC 2012 

On 6/22/12 1:15 PM, Julian H. Stacey wrote:
> Jason Hellenthal wrote:
>    
>> It is not really clear why you would want to change the permissions of
>> root:wheel of / on any of these.
>>      
> To Increase security.
> 	More visual prompting of when juniot admins blunder&  cerate
> 	junk as root
> 	A SUID with bin has less power than a SUID with uid=root
> 	Currently every binary in the system is one bit away from the jackpot,
> 	SUID root, why not convert most binaries to uid=bin, thenmost binaries
> 	are 2 bits away from jackpot, more safety in event of a blunder too.
>    
SUID binaries are one issue.  The directory '/' is not a SUID binary.
The issue for sshd is ownership of the directory '/'.

>> root is the owner of the system ... it
>>      
> Only because it currently is,&  you're used to it ;-)
> Remember back a few decades, Think more deeply, Why do you think it
> _needs_ to be ? Unix didnt used to Want that, it was usually a
> blunder when it occured.
>
> 	look at /etc/passwd
> 		root: entry has the shell,
> 		bin: entry is more limited, just has /sbin/nologin
>
> The question is WHY did FreeBSD switch to promote everything to root ?
> That it did so Way back proves nothing,
> Cos further back Unix was bin.
>    
At one time I read that having directories/files owned by root was a
security benefit when considering the -maproot=<x> for NFS exports.
All unix systems recognize UID=0 means root, and there is no other
UID which all unix systems agree on.  Disclaimer:  I rarely use NFS,
so I don't really pay attention to the details.  I may have the wrong
idea for what the advantage is, but it was some kind of connection
with UID=0 and NFS exports or imports.

I don't think you have shown any benefit by having directories owned
by bin instead of root.  I think the check in sshd is fine as it is.

-- 
Garance Alistair Drosehn            =   gad at gilead.netel.rpi.edu
Senior Systems Programmer           or  gad at freebsd.org
Rensselaer Polytechnic Institute    or  drosih at rpi.edu

More information about the freebsd-security mailing list