Date: Mon, 22 Apr 2002 23:38:24 -0400 (EDT) From: Chris BeHanna <behanna@zbzoom.net> To: FreeBSD Security <security@freebsd.org> Subject: Cleaning suid Binaries (Was: Re: stdio security advisory) Message-ID: <20020422233549.A69611-100000@topperwein.dyndns.org> In-Reply-To: <20020422181601.C14111-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 22 Apr 2002, Jason Stone wrote:
> > does anybody know's which kind of another files should be taken the +s
> > option to block this bug ?
>
> Uh, all of them? Unless you explicitly need the functionality of a
> particular setuid binary, you should remove the setuid bit.
>
> For example, on most of my machines I run something like:
>
> SETUIDOK='/usr/bin/su|/usr/local/bin/sudo|/usr/bin/passwd'
Just FYI, gpg needs to be setuid root in order to lock pages
containing cleartext passphrase information in memory; otherwise, they
can end up in your swap area.
You'll know you're in trouble if gpg blurts out "Warning: Using
insecure memory!" right before it prompts you for the passphrase.
> [...snip rest of suid cleanup script...]
--
Chris BeHanna
Software Engineer (Remove "bogus" before responding.)
behanna@bogus.zbzoom.net
I was raised by a pack of wild corn dogs.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020422233549.A69611-100000>