From owner-freebsd-security Sun Oct 31 18:27:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from anarcat.dyndns.org (phobos.IRO.UMontreal.CA [132.204.20.20]) by hub.freebsd.org (Postfix) with ESMTP id A67B714F5E for ; Sun, 31 Oct 1999 18:27:05 -0800 (PST) (envelope-from spidey@anarcat.dyndns.org) Received: by anarcat.dyndns.org (Postfix, from userid 1000) id 81C371BD4; Sun, 31 Oct 1999 21:27:57 -0500 (EST) From: Spidey MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="zWSB4S2w7L" Content-Transfer-Encoding: 7bit Message-ID: <14364.64172.638014.558487@anarcat.dyndns.org> Date: Sun, 31 Oct 1999 21:27:56 -0500 (EST) To: freebsd-security@freebsd.org Subject: Examining FBSD set[ug]ids and their use X-Mailer: VM 6.72 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zWSB4S2w7L Content-Type: text/plain; charset=us-ascii Content-Description: message body text Content-Transfer-Encoding: 7bit Hi. I started 'compiling' some info about the use of the setuid and setgid files in FreeBSD. I took my list of suid files in /var/log/setuid.* and checked what the effect would be if I removed the set[ug]id bits. So I came up with this list. And I thought it would be a good idea to have it in a mtree(1) format so that I could make have a place to store the original permissions of the files or to be able to revert them to how I want them if I do a make world or something like that, or whatever. I was also thinking of writing some program to examine each suid binary and ask interactively if we want to keep it this way. But I think that the list was enough work for now. Feel free to email comments and corrections, I'll be happy to include them in the list. There are some programs that I do not know well or that I do not understand why they're suid, so... I haven't put this on the web yet but it won't be long. --zWSB4S2w7L Content-Type: text/plain Content-Disposition: inline; filename="setugid.txt" Content-Transfer-Encoding: 7bit # This is the list of set[ug]id programs on my 3.3-Stable box. # Each comment shows why the set[ug]id bit is there # "Users" mean generally "unprivileged users" # A ? means "unknown" or "lacks exploration" # # Notes: # - this list is probably portable to other systems, and should probably be. # - This should be included in a mtree-like program that would be able # to disable or enable some s[gu]id on demand. I think I'll start coding... :) /set type=dir . bin /set type=file uname=root gname=wheel mode=4555 # The suid bit is NOT necessary for any usage I could find... df gname=operator mode=2555 # Allow users to see processes? Users cannot see the 'STARTED' and # 'TIME' columns, from ps aux... I don't want to dig much more.. ps gname=kmem mode=2555 # See /bin/rsh rcp /unset mode uname gname /set type=dir .. sbin /set type=file uname=root gname=wheel mode=2555 # I don't have a ccd... I can't test this. ccdconfig gname=kmem # Users must be able to read /dev/mem to consult current dmesg # I don't think random users need to consult dmesg. dmesg gname=kmem /set gname=tty # Allow users to dump on remote (see dump(1), the BUGS section) dump gname=tty rdump gname=tty restore gname=tty rrestore gname=tty /set gname=wheel # Allow users to bind on a socket (which? where?) ping mode=4555 # Allow users to consult routing tables route mode=4555 # Allow operators to shutdown the machine shutdown gname=operator mode=4550 /unset mode uname gname /set type=dir .. usr X11R6 bin /set type=file uname=root gname=wheel mode=4755 # Allow users to grab the console or to write to utmp Eterm # ????? Look what's here?! Xwrapper mode=4711 # High scores management angband uname=bin gname=games mode=2555 # High scores management cconq uname=games gname=bin # Probably to allow users to access video memory # This programs fails running with: #$ dga # X Error of failed request: BadMatch (invalid parameter attributes) # Major opcode of failed request: 78 (X_CreateColormap) # Serial number of failed request: 12 # Current serial number in output stream: 269 #$ # So I guess a suid bit isn't a good idea, but without it: #$ dga #Must be suid root #$ dga mode=4711 # Allow users to grab the console or to write to utmp # I think there is a root shell exploit possible with earlier versions # of rxvt so this shouldn't be suid... rxvt mode=4711 # High scores management sol uname=games gname=games mode=6755 # This is to bind on sockets and read some info from the kernel wminet gname=kmem mode=2755 # High scores management xboing gname=games mode=2755 # High scores management xconq uname=games gname=bin # Allow users to read cpu state in kernel memory xcpustate gname=kmem mode=2755 # High scores management xgalaga gname=games mode=2755 # Allow users to read master.passwd xlock mode=4111 # High scores management xpat2 gname=games mode=2555 # Allow users to see various info like the load and stuff from the # kernel activity xperfmon++ gname=kmem mode=2755 # High scores management xpiperman gname=games mode=2755 # High scores management xsoldier # Allow users to read system info from the kernel xsysinfo gname=kmem mode=2755 # Allow users to write to utmp or grab the console xterm mode=4711 # High scores management yamsweeper uname=games gname=bin /unset mode uname gname /set type=dir .. .. bin /set type=file mode=4555 uname=root gname=wheel # Allow users to write in the at queue. Would be interesting to be run # in a sandbox... These 4 are hardlinks at atq atrm batch # Allow users to edit their /etc/passwd info # These are links to chpass chfn chpass chsh ypchfn ypchpass ypchsh passwd yppasswd # Allow users to change their crontab file in /var/cron/tabs crontab # Allow users to write on a port. Should not be public, IMHO. Should # be (at least) "-r-sr-x--- uucp dialer" or something like that... cu mode=6555 uname=uucp gname=dialer # Allow users to see opened file info from the kernel fstat mode=2555 gname=kmem # Hum. This file is not in my system right now. I DON'T KNOW WHY. hoststat # Allow users to read IPC (System V shared memory) info from the # kernel ipcs mode=2555 gname=kmem # Allow users to read /etc/skeykeys keyinfo # Allow users to use the S/Key system (again R/W of /etc/skeykeys) keyinit # Allow users to use the -p option, which is to use the current login # password to lock the terminal lock # Allow users to read master.passwd, skeykeys and probably other # things... login # Allow users to read the lp queue? # Allow users to write various parts of the lp system... /set mode=6555 gname=daemon lpq lpr lprm /set mode=4555 uname=root gname=wheel # Allow users to read the mail queue # Again, this is part of the sendmail suite and _can_ be replaced :) mailq # Allow users to use the catman cache man uname=man # Allow users to read the kernel net stats netstat gname=kmem mode=2555 # Allow users to regenerate the aliases database. # Why the hell should anyone else than the one that has modified the # database would want to rebuild it???? newaliases # Allow users to access nfs stats nfsstat mode=2555 gname=kmem # Allow users to consult their quota quota # Allow these to bind on a priviledged port for remote authentication rlogin rsh # Allow users to use setuid perl scripts easier /set mode=4511 sperl5.00502 sperl5.00503 suidperl /set mode=4555 # Allow users to 'read' /etc/master.passwd su # This is all the same kind of accesses to the kernel memory /set mode=2555 uname=root gname=kmem systat top uptime # I never understood what uucp was.... /set mode=4555 uname=uucp gname=wheel uucp uuname uustat gname=dialer mode=6555 uux /set mode=4555 uname=root gname=wheel # Allow users read kmem VM stats.... vmstat mode=2555 gname=kmem # Allow users to see who's online w mode=2555 gname=kmem # Allow users to write on another's tty /set mode=2555 uname=root gname=tty wall write /unset mode uname gname /set type=dir .. games /set type=file mode=2555 uname=root gname=games # "Gaming" management dm /unset mode uname gname /set type=dir .. libexec /set type=file mode=4555 uname=root gname=wheel # Allow users to 'mail' others (in fact, that's 'writing on another's # mailbox) mail.local # uucp things... /unset mode uname gname /set type=dir uucp /set type=file mode=6555 uname=uucp gname=dialer uucico uuxqt mode=6550 gname=uucp /unset mode uname gname /set type=dir .. .. local bin /set type=file mode=4555 uname=root gname=wheel # Allow users to lock files in procmail lockfile mode=2755 gname=mail # This is the skill program. I think the sgid kmem is for reading # process info. But it should not be needed, IMHO skill mode=2755 gname=kmem snice mode=2755 gname=kmem # Same as rsh and such. ssh1 mode=4711 # Allow users to see the 'flow' of data through network connections # Strangely, pppload(1), a similar program, does _not_ net sgid # privileges # ?????? Why isn't that in $(X11BASE) ??? wmnet mode=2555 uname=bin gname=kmem # High scores management xmame mode=2111 gname=games /unset mode uname gname /set type=dir .. sbin /set type=file mode=4555 uname=root gname=wheel # Allow users to read opened files in the kernel lsof mode=2755 gname=kmem # This is the only set[ug]id program from the postfix suite, and is # not necessary if you agree to have a world writable drop directory. postdrop mode=2755 gname=maildrop /unset mode uname gname /set type=dir .. .. sbin /set type=file mode=4555 uname=root gname=wheel # Allow users to read I/O stats from the kernel iostat mode=2555 gname=kmem # Allow misc users to cancel print jobs lpc mode=2555 gname=daemon # Allow users to consult kernel routing tables mrinfo mtrace # This is to access the dialing line and probably modify routes and such.. # ppp provides a good enough mechanism to control users, IMHO ppp mode=4554 gname=network # Shouldn't this be as ppp? pppd # Access various informations in the kernel pstat mode=2555 gname=kmem # That's another binary that just disappeared from my box. I don't # know why. purgestat # This is the sendmail super-program that does everything. Get rid of # it, install postfix.. :) sendmail # Same as ppp sliplogin mode=4550 gname=network # Access kernel info about swap swapinfo mode=2555 gname=kmem # Allow users to read info from the timed daemon timedc # Same as ping traceroute # Allow users to read tcp debugging info trpt gname=kmem mode=2555 --zWSB4S2w7L Content-Type: text/plain; charset=iso-8859-1 Content-Description: message body text Content-Transfer-Encoding: quoted-printable Oh... and my box is: FreeBSD anarcat.dyndns.org 3.3-STABLE FreeBSD 3.3-STABLE #6: Wed Oct 27= 11:44:59 EDT 1999 root@anarcat.dyndns.org:/usr/src/sys/compile/HAL= L i386 The AnarCat. --=20 Si l'image donne l'illusion de savoir C'est que l'adage pr=E9tend que pour croire, L'important ne serait que de voir Lofofora --zWSB4S2w7L-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message