Date: Sun, 27 Jul 2003 09:57:10 +1000 From: Peter Jeremy <PeterJeremy@optushome.com.au> To: Peter Rosa <prosa@pro.sk> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: suid bit files + securing FreeBSD Message-ID: <20030726235710.GD4105@cirb503493.alcatel.com.au> In-Reply-To: <00d601c3539a$91576a40$3501a8c0@pro.sk> References: <00d601c3539a$91576a40$3501a8c0@pro.sk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jul 26, 2003 at 07:23:02PM +0200, Peter Rosa wrote: >Please, has anyone simple answer for: Unfortunately, there isn't one. >I'm looking for an exact list of files, which: >1. MUST have... >2. HAVE FROM BSD INSTALLATION... >3. DO NOT NEED... >4. NEVER MAY... >...the suid-bit set. You may also want to look through the files that are setgid. >Of course, it's no problem to find-out which files ALREADY HAS >suid-bit set. Agreed. > But what files REALLY MUST have it ? There's no simple answer to this. It's a matter of going through each file with setuid (or setgid) set, understanding why that file has the set[gu]id bit and whether you need that functionality. >I know generalities, as e.g. shell should never have suid bit set, >but what if someone has copied any shell to some other location >and have set the suid bit ? It's security hole, isn't it ? Yes. But keep in mind that mind that you have to be user "foo" or root to make an arbitrary file setuid "foo". If you find that you have unexpected setuid "foo" files on your machine (where "foo" is not a shell user account) then your machine has already been compromised. >Second question is: Has anybody an exact wizard, how to secure >the FreeBSD machine. Seal it in an underground concrete bunker with no external access. Of course, this still isn't perfectly secure but it's probably good enough for most purposes. :-) > Imagine the situation, the only person who >can do anything on that machine is me, and nobody other. It still depends on what you want to do on the machine and what you want the machine to be able to do. > I have removed ALL tty's except >two local tty's (I need to work on that machine), Keep in mind that it isn't essential to have a TTY to access a machine. >still open port 25 and 53 (must be forever), so someone very >tricky can compromite my machine. Yes. Does the machine need to be an SMTP/DNS server? Have you evaluated the various SMTP/DNS daemons for their security? Have you installed the SMTP/DNS daemon securely? Peter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030726235710.GD4105>