Date: Sat, 13 Jul 1996 01:39:30 -0400 (EDT) From: Brian Tao <taob@io.org> To: Thomas Ptacek <tqbf@enteract.com> Cc: freebsd-security@FreeBSD.org Subject: Re: Permissions Message-ID: <Pine.NEB.3.92.960713011836.27070d-100000@zap.io.org> In-Reply-To: <199607130019.TAA19991@enteract.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Jul 1996, Thomas Ptacek wrote:
>
> Furthermore, the standard rc file turns on lots of stuff I don't want
> to see running, like lpd and routed.
There are knobs for both lpd and routed/gated in post-2.1
/etc/sysconfig.
> The more recent public FreeBSD security problems have been pretty
> stupid. Why was mount_union SUID? Almost nobody I know that runs
> FreeBSD even knows what unionfs is. Likewise, ppp and sliplogin? All
> the UUCP stuff? I'll bet 99% of everyone who installs FreeBSD will
> never touch UUCP.
Below, I've included a series of commands I run whenever I upgrade
one of our public servers. It follows the principle of least
privilege: if only root should be running a binary, then it doesn't
need to be setuid root, and probably doesn't need group/other execute
permissions. Directories that aren't needed are removed, e.g.: no
mail is received on the shell servers, so neither /var/mail nor
mail.local are needed.
Depending on your needs, you may need crontab or the lp system,
but I've been able to reduce the number of setuid root binaries to 12
(3 of which are the sendmail/newaliases/mailq hard links) and a bunch
of setgid kmem binaries.
With the recent crop of root exploits, this kind of policy could
have avoided the mount_union, man, suidperl and rdist vulnerabilities.
Knowing that you can head off hacking attempts before they happen is
worth coming up with a similar policy on your servers.
>>>>>
cd /sbin ; chmod go-rwx mount_* *dump *restore route shutdown
cd /usr/bin ; chmod go-rwx at* batch crontab cu key* *-local logger lp* rdist uucp uulog uuname uupick uusched uustat uuto uux wall
cd /usr/sbin ; chmod go-rwx lp* mrinfo mtrace ppp* sliplogin timedc
cd /usr/libexec ; chmod go-rwx mail.local
cd /sbin ; chmod ug-s mount_* *dump *restore route shutdown
cd /usr/bin ; chmod ug-s crontab man rdist suidperl
cd /usr/sbin ; chmod ug-s mrinfo mtrace
cd /usr/libexec ; chmod ug-s mail.local
rmdir /lost+found /usr/lost+found /var/lost+found /usr/local/lost+found /var/mail
rm -rf /var/spool/uucp* /usr/libexec/uucp /usr/libexec/lpr /etc/ppp /etc/uucp /etc/gnats /etc/kerberosIV
chflags schg /kernel* /lkm/* /bin/* /sbin/* /usr/bin/* /usr/sbin/* /usr/lib/* /usr/libexec/*
chflags sappnd /bin /lkm /sbin /stand /usr/bin /usr/include /usr/sbin /usr/lib /usr/libexec
<<<<<
--
Brian Tao (BT300, taob@io.org, taob@ican.net)
Senior Systems and Network Administrator, Internet Canada Corp.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.92.960713011836.27070d-100000>