Date: Thu, 16 Dec 1999 15:05:51 -0500 (EST) From: Spidey <beaupran@iro.umontreal.ca> To: Mike Tancsa <mike@sentex.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) ) Message-ID: <14425.17951.786660.581622@anarcat.dyndns.org> References: <14425.12035.757889.422296@anarcat.dyndns.org> <199912160615.XAA69151@harmony.village.org> <Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org> <199912161828.LAA72864@harmony.village.org> <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
As I mentionned before, I wrote a file in the mtree syntax that can be used to update perms to your taste. You just modify the file to your liking, and run mtree with it. http://www.iro.umontreal.ca/~beaupran/FreeBSD/setugid.txt Try it. You'll like it. :)) --- Big Brother told Mike Tancsa to write, at 14:30 of December 16: > At 01:37 PM 12/16/99 -0500, Spidey wrote: > >Yes. Since I've been looking at setuid's on FBSD, my primary concern's > >been with the ports. I wished there could be some way to have a > >variable in the Makefiles that say "NOSETUID=YES". :)) > > > Even the main tree seems a big permissive for some applications (in my > case, an ISP). There are a few things I disable each time I make world on > my shell and web server. What would be the best way to automate this and > give other people an easy way to disable unresitricted access easily to > potentially dangerous programs ? e.g. looking through > /var/log/setuid.today some of the files that look like a candidate for > chmod o-x are > > > -r-xr-sr-x 1 root kmem 100148 Dec 14 00:02:03 1999 /sbin/ccdconfig > -r-xr-sr-x 2 root tty 221752 Dec 14 00:02:05 1999 /sbin/dump > -r-xr-sr-x 2 root tty 221752 Dec 14 00:02:05 1999 /sbin/rdump > -r-xr-sr-x 2 root tty 244920 Dec 14 00:02:20 1999 /sbin/restore > -r-sr-xr-x 1 root wheel 153760 Dec 14 00:02:21 1999 /sbin/route > -r-xr-sr-x 2 root tty 244920 Dec 14 00:02:20 1999 /sbin/rrestore > -r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999 /usr/bin/hoststat > -r-sr-sr-x 1 root daemon 18064 Dec 14 00:04:12 1999 /usr/bin/lpq > -r-sr-sr-x 1 root daemon 20864 Dec 14 00:04:12 1999 /usr/bin/lpr > -r-sr-sr-x 1 root daemon 17624 Dec 14 00:04:13 1999 /usr/bin/lprm > -r-s--x--x 1 root wheel 47448 Apr 26 00:34:25 1999 > /usr/bin/sperl5.00502 > -r-s--x--x 2 root wheel 47472 Dec 14 00:01:28 1999 /usr/bin/sperl5.00503 > -r-s--x--x 2 root wheel 47472 Dec 14 00:01:28 1999 /usr/bin/suidperl > -r-xr-sr-x 1 root kmem 52424 Dec 14 00:03:47 1999 /usr/bin/systat > -r-xr-sr-x 1 root kmem 14536 Dec 14 00:03:54 1999 /usr/bin/vmstat > -r-xr-sr-x 2 root kmem 10576 Dec 14 00:03:54 1999 /usr/bin/w > -r-xr-sr-x 1 root tty 8108 Dec 14 00:03:54 1999 /usr/bin/wall > -r-xr-sr-x 1 root games 6188 Dec 13 23:59:52 1999 /usr/games/dm > -rwxr-sr-x 1 root kmem 88160 Mar 18 21:39:54 1999 /usr/local/sbin/lsof > -r-xr-sr-x 1 root kmem 9472 Dec 14 00:04:09 1999 /usr/sbin/iostat > -r-xr-sr-x 1 root daemon 23968 Dec 14 00:04:12 1999 /usr/sbin/lpc > -r-sr-xr-x 1 root wheel 14528 Dec 14 00:04:15 1999 /usr/sbin/mrinfo > -r-sr-xr-x 1 root wheel 27528 Dec 14 00:04:15 1999 /usr/sbin/mtrace > -r-xr-sr-x 2 root kmem 13184 Dec 14 00:04:20 1999 /usr/sbin/pstat > -r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999 > /usr/sbin/purgestat > -r-sr-x--- 1 root network 9768 Dec 14 00:04:22 1999 > /usr/sbin/sliplogin > -r-xr-sr-x 2 root kmem 13184 Dec 14 00:04:20 1999 > /usr/sbin/swapinfo > -r-sr-xr-x 1 root wheel 13440 Dec 14 00:04:24 1999 /usr/sbin/timedc > -r-xr-sr-x 1 root kmem 7036 Dec 14 00:04:25 1999 /usr/sbin/trpt > > > > Things like the printer control for example... If you dont have printing > services, why bother with the control programs. Similarly, I dont think my > users need access to vmstat or any of the backup programs, local or remote. > If a program were to be created to track these files, and suggest to the > end user a method to disabling +o access, what would be the best way to go > about designing it ? Should it just read the contents of > /var/log/setuid.today ? > > > I like Robert's idea of the > > HAS_MISC_SET_ID= {yes,no} > HAS_ROOT_SETUID= {yes,no} > > for the ports, although I would say give it a month or so before marking > anyhing broken. > > ---Mike > ------------------------------------------------------------------------ > Mike Tancsa, tel +1 519 651 3400 > Network Administrator, mike@sentex.net > Sentex Communications www.sentex.net > Cambridge, Ontario Canada > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14425.17951.786660.581622>