Date: Tue, 23 Apr 2002 08:07:12 -0500 (CDT) From: Chuck Rock <carock@epctech.com> To: Jason Stone <jason@shalott.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio Message-ID: <Pine.BSF.4.21.0204230759250.76024-100000@kira.epconline.net> In-Reply-To: <20020422181601.C14111-100000@walter>
next in thread | previous in thread | raw e-mail | index | archive | help
I see see this a lot. Why if the answer is always "all of them" isn't
FreeBSD distributed, and patched, and whatever so this is already
true. I've seen this suid thing go on for years, and this is the standard
reply like some magical knowledge you learn after you play with
Linux/Unix for a while.
If this is true, then why isn't it so by now? FreeBSD ports even have
patches that tweak the ports when they install, couldn't they also tweak
the file bits when you run make install too?
I can't believe that FreeBSD would allow their system to have these suid
bits set if they weren't supposed to be that way.
Chuck Rock
On Mon, 22 Apr 2002, Jason Stone wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > does anybody know's which kind of another files should be taken the +s
> > option to block this bug ?
>
> Uh, all of them? Unless you explicitly need the functionality of a
> particular setuid binary, you should remove the setuid bit.
>
> For example, on most of my machines I run something like:
>
> SETUIDOK='/usr/bin/su|/usr/local/bin/sudo|/usr/bin/passwd'
> FILENAME=/root/desetuid-`date +%s`-$$-`hostname`
> find / -fstype nfs -prune -o -perm -4000 -user 0 -type f | egrep \
> -v \($SETUIDOK\) \ > $FILENAME
> ls -lo `cat $FILENAME` > ${FILENAME}.listing
> find `cat $FILENAME` -flags chflags > ${FILENAME}.schg
> chflags noschg `cat ${FILENAME}.schg`
> chmod u-s `cat $FILENAME`
> chflags schg `cat ${FILENAME}.schg`
>
> to remove all setuid root bits except for the ones in SETUIDOK (passwd,
> su, sudo).
>
>
> Note, there was a previous thread on creating make variables to control
> whether or not each setuid binary would be installed setuid. I haven't
> done any work on a patch, yet, but such a system would allow you a cleaner
> way of deciding which binaries should be setuid when you do a make world.
>
>
> -Jason
>
> -----------------------------------------------------------------------
> I worry about my child and the Internet all the time, even though she's
> too young to have logged on yet. Here's what I worry about. I worry
> that 10 or 15 years from now, she will come to me and say "Daddy, where
> were you when they took freedom of the press away from the Internet?"
> -- Mike Godwin
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: See https://private.idealab.com/public/jason/jason.gpg
>
> iD8DBQE8xLfrswXMWWtptckRAtgOAKCeKvAVuiSOuIfwpJj0YaUZK7Nr3QCfShgg
> vDWgBTH9H7Uq832IP0+a9XU=
> =pFBi
> -----END PGP SIGNATURE-----
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0204230759250.76024-100000>