Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 Jul 1997 16:55:19 -0400 (EDT)
From:      Robert Watson <robert@cyrus.watson.org>
To:        Adam Shostack <adam@homeport.org>
Cc:        Vincent Poy <vince@mail.MCESTATE.COM>, security@FreeBSD.ORG
Subject:   Re: security hole in FreeBSD
Message-ID:  <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>
In-Reply-To: <199707282004.QAA07078@homeport.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 28 Jul 1997, Adam Shostack wrote:

> Vincent Poy wrote:
> 
> 	su really should be setuid.  Everything else is debatable.  My
> advice is to turn off all setuid bits except those you know you need
> (possibly w, who, ps, ping, at, passwd)
> 
> find / -xdev -perm -4000 -ok chmod u-s {} \;
> find /usr -xdev -perm -4000 -ok chmod u-s {} \;
> find / -xdev -perm -2000 -ok chmod g-s {} \;
> find /usr -xdev -perm -2000 -ok chmod g-s {} \;
> # The semicolons are part of the line

Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc)
require root access to delivery to local mailboxes; crontab related stuff,
terminal locking, some kerberos commands, local XWindows servers, and su
all rely on suid.

What type of secured environment are you hoping to create?  If root access
is only to be used from the console, and shared functions like
xwindows/mailstuff/user crontab aren't needed, you can probably just
disable all the suid-root programs, or suid-anything programs.  Look also
at the sgid programs that scan kmem.  Ideally, you'd also put the system
in a higher secure level, and mount all partitions non-suid, as long as
login kept working :).

Does login require suid, or does gettytab run it as root anyway?

  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Security Research, Trusted Information Systems http://www.tis.com/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org   rwatson@tis.com  http://www.watson.org/~robert/

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95q.970728164656.3342K-100000>