From owner-freebsd-security  Mon Jul 28 13:55:35 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id NAA02185
          for security-outgoing; Mon, 28 Jul 1997 13:55:35 -0700 (PDT)
Received: from cyrus.watson.org (robert@cyrus.watson.org [207.86.4.20])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA02179
          for <security@FreeBSD.ORG>; Mon, 28 Jul 1997 13:55:31 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id QAA04144;
	Mon, 28 Jul 1997 16:55:19 -0400 (EDT)
Date: Mon, 28 Jul 1997 16:55:19 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Adam Shostack <adam@homeport.org>
cc: Vincent Poy <vince@mail.MCESTATE.COM>, security@FreeBSD.ORG
Subject: Re: security hole in FreeBSD
In-Reply-To: <199707282004.QAA07078@homeport.org>
Message-ID: <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 28 Jul 1997, Adam Shostack wrote:

> Vincent Poy wrote:
> 
> 	su really should be setuid.  Everything else is debatable.  My
> advice is to turn off all setuid bits except those you know you need
> (possibly w, who, ps, ping, at, passwd)
> 
> find / -xdev -perm -4000 -ok chmod u-s {} \;
> find /usr -xdev -perm -4000 -ok chmod u-s {} \;
> find / -xdev -perm -2000 -ok chmod g-s {} \;
> find /usr -xdev -perm -2000 -ok chmod g-s {} \;
> # The semicolons are part of the line

Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc)
require root access to delivery to local mailboxes; crontab related stuff,
terminal locking, some kerberos commands, local XWindows servers, and su
all rely on suid.

What type of secured environment are you hoping to create?  If root access
is only to be used from the console, and shared functions like
xwindows/mailstuff/user crontab aren't needed, you can probably just
disable all the suid-root programs, or suid-anything programs.  Look also
at the sgid programs that scan kmem.  Ideally, you'd also put the system
in a higher secure level, and mount all partitions non-suid, as long as
login kept working :).

Does login require suid, or does gettytab run it as root anyway?

  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/