Date: Mon, 28 Jul 1997 16:42:28 -0500 From: Karl Denninger <karl@Mcs.Net> To: Robert Watson <robert+freebsd@cyrus.watson.org> Cc: Adam Shostack <adam@homeport.org>, Vincent Poy <vince@mail.MCESTATE.COM>, security@FreeBSD.ORG Subject: Re: security hole in FreeBSD Message-ID: <19970728164228.19622@Jupiter.Mcs.Net> In-Reply-To: <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>; from Robert Watson on Mon, Jul 28, 1997 at 04:55:19PM -0400 References: <199707282004.QAA07078@homeport.org> <Pine.BSF.3.95q.970728164656.3342K-100000@cyrus.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 28, 1997 at 04:55:19PM -0400, Robert Watson wrote:
> On Mon, 28 Jul 1997, Adam Shostack wrote:
>
> > Vincent Poy wrote:
> >
> > su really should be setuid. Everything else is debatable. My
> > advice is to turn off all setuid bits except those you know you need
> > (possibly w, who, ps, ping, at, passwd)
> >
> > find / -xdev -perm -4000 -ok chmod u-s {} \;
> > find /usr -xdev -perm -4000 -ok chmod u-s {} \;
> > find / -xdev -perm -2000 -ok chmod g-s {} \;
> > find /usr -xdev -perm -2000 -ok chmod g-s {} \;
> > # The semicolons are part of the line
>
> Several mail delivery programs (mail.local, sendmail, uucp-stuff, etc)
> require root access to delivery to local mailboxes; crontab related stuff,
> terminal locking, some kerberos commands, local XWindows servers, and su
> all rely on suid.
>
> What type of secured environment are you hoping to create? If root access
> is only to be used from the console, and shared functions like
> xwindows/mailstuff/user crontab aren't needed, you can probably just
> disable all the suid-root programs, or suid-anything programs. Look also
> at the sgid programs that scan kmem. Ideally, you'd also put the system
> in a higher secure level, and mount all partitions non-suid, as long as
> login kept working :).
>
> Does login require suid, or does gettytab run it as root anyway?
>
> Robert N Watson
If you take the SUID off login it works fine, PROVIDED you don't try to use
it to "re-login" (a rather common thing for Berzerkelyoids to do).
--
--
Karl Denninger (karl@MCS.Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl | T1's from $600 monthly to FULL DS-3 Service
| 99 Analog numbers, 77 ISDN, http://www.mcs.net/
Voice: [+1 312 803-MCS1 x219]| NOW Serving 56kbps DIGITAL on our analog lines!
Fax: [+1 312 803-4929] | 2 FULL DS-3 Internet links; 400Mbps B/W Internal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19970728164228.19622>