From owner-freebsd-security Mon Jul 28 13:09:21 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id NAA29230 for security-outgoing; Mon, 28 Jul 1997 13:09:21 -0700 (PDT) Received: from homeport.org (lighthouse.homeport.org [205.136.65.198]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA29225 for ; Mon, 28 Jul 1997 13:09:17 -0700 (PDT) Received: (adam@localhost) by homeport.org (8.8.5/8.6.9) id QAA07078; Mon, 28 Jul 1997 16:04:52 -0400 (EDT) From: Adam Shostack Message-Id: <199707282004.QAA07078@homeport.org> Subject: Re: security hole in FreeBSD In-Reply-To: from Vincent Poy at "Jul 28, 97 12:29:43 pm" To: vince@mail.MCESTATE.COM (Vincent Poy) Date: Mon, 28 Jul 1997 16:04:51 -0400 (EDT) Cc: langfod@dihelix.com, security@FreeBSD.ORG, mario1@PrimeNet.Com, johnnyu@accessus.net X-Mailer: ELM [version 2.4ME+ PL27 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Vincent Poy wrote: | =)My suggestion to you would be to get a clean source tree, recompile everything | =)and install tripwire. | | I'll do that as soon as the machine comes back up. I heard that | suid programs can be a problem too but which ones are required to be suid? su really should be setuid. Everything else is debatable. My advice is to turn off all setuid bits except those you know you need (possibly w, who, ps, ping, at, passwd) find / -xdev -perm -4000 -ok chmod u-s {} \; find /usr -xdev -perm -4000 -ok chmod u-s {} \; find / -xdev -perm -2000 -ok chmod g-s {} \; find /usr -xdev -perm -2000 -ok chmod g-s {} \; # The semicolons are part of the line Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume