Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Apr 2002 18:24:50 -0700 (PDT)
From:      Jason Stone <jason@shalott.net>
To:        hh <hh@dsgx.org>
Cc:        <freebsd-security@freebsd.org>
Subject:   Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio
Message-ID:  <20020422181601.C14111-100000@walter>
In-Reply-To: <20020422210947.4fe7bc2a.hh@dsgx.org>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> does anybody know's which kind of another files should be taken the +s
> option to block this bug ?

Uh, all of them?  Unless you explicitly need the functionality of a
particular setuid binary, you should remove the setuid bit.

For example, on most of my machines I run something like:

SETUIDOK='/usr/bin/su|/usr/local/bin/sudo|/usr/bin/passwd'
FILENAME=/root/desetuid-`date +%s`-$$-`hostname`
find / -fstype nfs -prune -o -perm -4000 -user 0 -type f | egrep \
	-v \($SETUIDOK\) \ > $FILENAME
ls -lo `cat $FILENAME` > ${FILENAME}.listing
find `cat $FILENAME` -flags chflags > ${FILENAME}.schg
chflags noschg `cat ${FILENAME}.schg`
chmod u-s `cat $FILENAME`
chflags schg `cat ${FILENAME}.schg`

to remove all setuid root bits except for the ones in SETUIDOK (passwd,
su, sudo).


Note, there was a previous thread on creating make variables to control
whether or not each setuid binary would be installed setuid.  I haven't
done any work on a patch, yet, but such a system would allow you a cleaner
way of deciding which binaries should be setuid when you do a make world.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
	-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8xLfrswXMWWtptckRAtgOAKCeKvAVuiSOuIfwpJj0YaUZK7Nr3QCfShgg
vDWgBTH9H7Uq832IP0+a9XU=
=pFBi
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020422181601.C14111-100000>