Date: Mon, 22 Apr 2002 18:24:50 -0700 (PDT) From: Jason Stone <jason@shalott.net> To: hh <hh@dsgx.org> Cc: <freebsd-security@freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Message-ID: <20020422181601.C14111-100000@walter> In-Reply-To: <20020422210947.4fe7bc2a.hh@dsgx.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> does anybody know's which kind of another files should be taken the +s
> option to block this bug ?
Uh, all of them? Unless you explicitly need the functionality of a
particular setuid binary, you should remove the setuid bit.
For example, on most of my machines I run something like:
SETUIDOK='/usr/bin/su|/usr/local/bin/sudo|/usr/bin/passwd'
FILENAME=/root/desetuid-`date +%s`-$$-`hostname`
find / -fstype nfs -prune -o -perm -4000 -user 0 -type f | egrep \
-v \($SETUIDOK\) \ > $FILENAME
ls -lo `cat $FILENAME` > ${FILENAME}.listing
find `cat $FILENAME` -flags chflags > ${FILENAME}.schg
chflags noschg `cat ${FILENAME}.schg`
chmod u-s `cat $FILENAME`
chflags schg `cat ${FILENAME}.schg`
to remove all setuid root bits except for the ones in SETUIDOK (passwd,
su, sudo).
Note, there was a previous thread on creating make variables to control
whether or not each setuid binary would be installed setuid. I haven't
done any work on a patch, yet, but such a system would allow you a cleaner
way of deciding which binaries should be setuid when you do a make world.
-Jason
-----------------------------------------------------------------------
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE8xLfrswXMWWtptckRAtgOAKCeKvAVuiSOuIfwpJj0YaUZK7Nr3QCfShgg
vDWgBTH9H7Uq832IP0+a9XU=
=pFBi
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020422181601.C14111-100000>