From owner-freebsd-security Wed Aug 11 16:49:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from univ.uniyar.ac.ru (univ.uniyar.ac.ru [193.233.51.120]) by hub.freebsd.org (Postfix) with ESMTP id 3A60814D23 for ; Wed, 11 Aug 1999 16:48:17 -0700 (PDT) (envelope-from lae@univ.uniyar.ac.ru) Received: (from lae@localhost) by univ.uniyar.ac.ru (8.9.1/8.9.1) id DAA27513; Thu, 12 Aug 1999 03:41:38 +0400 (MSD) Date: Thu, 12 Aug 1999 03:41:38 +0400 From: "Andrey E. Lerman" To: John Howie Cc: freebsd-security@freebsd.org Subject: Re: Fw: info on suid/sgid files Message-ID: <19990812034137.E6691@univ.uniyar.ac.ru> References: <013701bee446$e05a98f0$fe01a8c0@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii User-Agent: Mutt/0.96.3i In-Reply-To: <013701bee446$e05a98f0$fe01a8c0@pacbell.net>; from John Howie on Wed, Aug 11, 1999 at 03:14:27PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Aug 11, 1999 at 03:14:27PM -0700, John Howie wrote: > Andrey wrote: > > > I did a quick search for a suid/sgid files on our server's hd > > and found a lot. I really didn't expected so many. I removed > > bits on about 80% of it without any visible (yet) impact to > > system's operation. So I'm wondering, where to find info about > > what these suid/sgid bits was for and what I loose removing > > them. Some of progs I chmod'ed really amazed me, for example > > quota, df, ps, dump, restore, shutdown... > > Many of those programs require privileges to access kernel memory, the raw > hard disk, etc. Ordinary users will not have the necessary permissions to > access these parts of the OS hence the SUID bit. Many system administrators > freak out but the reality is that these utilities rarely (but not never) > expose a risk to system security. While the truly paranoid might remove the > SUID bit, it is often unnecessary and can cause legitimate, non-root, users > problems when they want to see what is running on the system, what their > disk quota usage is, etc. We just don't know what kind of security risk they expose. Imagine tomorrow bugtraq and -security lists filled with messages about new vulnerability. Who will be faster, you pathching your system or hackers breaking into it? Who knows. The risk is low, but not zero. People (developers are people too) sometimes make mistakes. Same for auditors of code. I agree, some will call it paranoid. I will consider restoring these suid/sgid bit if there will be complains from the users (or me :). We are balancing between confortable working and security again. > You mentioned that you found these on your server. I am assuming that this > is a file and print server. If your users cannot access this system > interactively, either at the console or over the network by disabling the > telnet and r* daemons, then you have very little to worry about. You guessed quite right, it is also ftp and www server and gateway. But we plan to set this box also as a server for X terminals. I also admin another box running Linux, which is terminal server. I found a lot less number of suid programs on it. -- Andrey E. Lerman @ Yaroslavl State University ICQ: 9418370, primary email: lae@uniyar.ac.ru [Lae] on IRCNet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message