Date: Thu, 16 Dec 1999 14:30:31 -0500 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@FreeBSD.ORG Subject: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) ) Message-ID: <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca> In-Reply-To: <14425.12637.308602.637788@anarcat.dyndns.org> References: <14425.12035.757889.422296@anarcat.dyndns.org> <199912160615.XAA69151@harmony.village.org> <Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org> <199912161828.LAA72864@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:37 PM 12/16/99 -0500, Spidey wrote:
>Yes. Since I've been looking at setuid's on FBSD, my primary concern's
>been with the ports. I wished there could be some way to have a
>variable in the Makefiles that say "NOSETUID=YES". :))
Even the main tree seems a big permissive for some applications (in my
case, an ISP). There are a few things I disable each time I make world on
my shell and web server. What would be the best way to automate this and
give other people an easy way to disable unresitricted access easily to
potentially dangerous programs ? e.g. looking through
/var/log/setuid.today some of the files that look like a candidate for
chmod o-x are
-r-xr-sr-x 1 root kmem 100148 Dec 14 00:02:03 1999 /sbin/ccdconfig
-r-xr-sr-x 2 root tty 221752 Dec 14 00:02:05 1999 /sbin/dump
-r-xr-sr-x 2 root tty 221752 Dec 14 00:02:05 1999 /sbin/rdump
-r-xr-sr-x 2 root tty 244920 Dec 14 00:02:20 1999 /sbin/restore
-r-sr-xr-x 1 root wheel 153760 Dec 14 00:02:21 1999 /sbin/route
-r-xr-sr-x 2 root tty 244920 Dec 14 00:02:20 1999 /sbin/rrestore
-r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999 /usr/bin/hoststat
-r-sr-sr-x 1 root daemon 18064 Dec 14 00:04:12 1999 /usr/bin/lpq
-r-sr-sr-x 1 root daemon 20864 Dec 14 00:04:12 1999 /usr/bin/lpr
-r-sr-sr-x 1 root daemon 17624 Dec 14 00:04:13 1999 /usr/bin/lprm
-r-s--x--x 1 root wheel 47448 Apr 26 00:34:25 1999
/usr/bin/sperl5.00502
-r-s--x--x 2 root wheel 47472 Dec 14 00:01:28 1999 /usr/bin/sperl5.00503
-r-s--x--x 2 root wheel 47472 Dec 14 00:01:28 1999 /usr/bin/suidperl
-r-xr-sr-x 1 root kmem 52424 Dec 14 00:03:47 1999 /usr/bin/systat
-r-xr-sr-x 1 root kmem 14536 Dec 14 00:03:54 1999 /usr/bin/vmstat
-r-xr-sr-x 2 root kmem 10576 Dec 14 00:03:54 1999 /usr/bin/w
-r-xr-sr-x 1 root tty 8108 Dec 14 00:03:54 1999 /usr/bin/wall
-r-xr-sr-x 1 root games 6188 Dec 13 23:59:52 1999 /usr/games/dm
-rwxr-sr-x 1 root kmem 88160 Mar 18 21:39:54 1999 /usr/local/sbin/lsof
-r-xr-sr-x 1 root kmem 9472 Dec 14 00:04:09 1999 /usr/sbin/iostat
-r-xr-sr-x 1 root daemon 23968 Dec 14 00:04:12 1999 /usr/sbin/lpc
-r-sr-xr-x 1 root wheel 14528 Dec 14 00:04:15 1999 /usr/sbin/mrinfo
-r-sr-xr-x 1 root wheel 27528 Dec 14 00:04:15 1999 /usr/sbin/mtrace
-r-xr-sr-x 2 root kmem 13184 Dec 14 00:04:20 1999 /usr/sbin/pstat
-r-sr-xr-x 5 root wheel 290448 Dec 14 00:04:32 1999
/usr/sbin/purgestat
-r-sr-x--- 1 root network 9768 Dec 14 00:04:22 1999
/usr/sbin/sliplogin
-r-xr-sr-x 2 root kmem 13184 Dec 14 00:04:20 1999
/usr/sbin/swapinfo
-r-sr-xr-x 1 root wheel 13440 Dec 14 00:04:24 1999 /usr/sbin/timedc
-r-xr-sr-x 1 root kmem 7036 Dec 14 00:04:25 1999 /usr/sbin/trpt
Things like the printer control for example... If you dont have printing
services, why bother with the control programs. Similarly, I dont think my
users need access to vmstat or any of the backup programs, local or remote.
If a program were to be created to track these files, and suggest to the
end user a method to disabling +o access, what would be the best way to go
about designing it ? Should it just read the contents of
/var/log/setuid.today ?
I like Robert's idea of the
HAS_MISC_SET_ID= {yes,no}
HAS_ROOT_SETUID= {yes,no}
for the ports, although I would say give it a month or so before marking
anyhing broken.
---Mike
------------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Network Administrator, mike@sentex.net
Sentex Communications www.sentex.net
Cambridge, Ontario Canada
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.19991216143031.0192ae30>