Date: Sat, 18 Apr 1998 12:18:57 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: freebsd-security@FreeBSD.ORG Subject: suid/sgid programs Message-ID: <Pine.BSF.3.96.980418120221.15725B-300000@trojanhorse.pr.watson.org>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] One possible option for a security configuration program would be to allow the user to selectively enable/disable setuid programs on their machine. I have attached a list of suid and sgid programs found on a fairly default looking -stable machine from last night, roughly categorized into common sets. We note that it is particularly important that programs that are hard links of one another be in the same category, if the user is trying to enable/disable them :). My thoughts on choices for setuid were: 1) Disable setuid 2) Enable setuid, but restrict execution to wheel 3) Enable setuid for all In some cases (shutdown), option (2) is already the current arrangement. Depending on the system, policy for each set of binaries might vary. One thing I'd like to see in the final version is a distinction between "definition of policy" and "application of policy". I.e., The user runs one program to define their policy. This generates a config file that can now be applied to the machine (or other mahines). Someone suggested Dialog as an interface for doing this. This seems reasonable to me -- dialog does not look particularly hard to use :). Requiring X is clearly not the correct course of action. For sgid, it is not clear whether the two options aren't just 'enable' and 'disable', as we can't really change the group on them to limit use :). Also, there are a few suid/sgid programs that probably don't have to be -- ncrcontrol, for example. Most *control programs are not suid/sgid, and require the user to be uid0 to run them. Is there a reason for this difference here? We note also that a fairly large chunk of suid/sgid programs are UUCP programs -- something that a majority of FreeBSD users (I would guess?) do not use. In terms of reducing risk, disabling suid/sgid on these programs as part of a hardening process, if they are not needed, would be a great boon. The suid and sgid lists are formatted as follows: category:binary,binary... If I've missed any, please let me know. Robert N Watson ---- Carnegie Mellon University http://www.cmu.edu/ Trusted Information Systems http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ [-- Attachment #2 --] cu:/usr/bin/cu man:/usr/bin/man uucp:/usr/bin/uucp,/usr/bin/uuname,/usr/bin/uustat,/usr/bin/uux,/usr/libexec/uucp/uucico,/usr/libexec/uucp/uuxqt perl:/usr/bin/suidperl,/usr/bin/sperl4.036 at:/usr/bin/at,/usr/bin/atq,/usr/bin/atrm,/usr/bin/batch passwd:/usr/bin/chpass,/usr/bin/chfn,/usr/bin/chsh,/usr/bin/ypchpass,/usr/bin/ypchfn,/usr/bin/ypchsh,/usr/bin/lock,/usr/bin/passwd,/usr/bin/yppasswd skey:/usr/bin/keyinfo,/usr/bin/keyinit login:/usr/bin/login quota:/usr/bin/quota rsh:/usr/bin/rlogin,/usr/bin/rsh,/bin/rcp crontab:/usr/bin/crontab su:/usr/bin/su lpr:/usr/bin/lpq,/usr/bin/lpr,/usr/bin/lprm sendmail:/usr/bin/newaliases,/usr/bin/mailq,/usr/bin/hoststat,/usr/libexec/mail.local,/usr/sbin/sendmail,/usr/sbin/purgestat kerberos:/usr/bin/register multicast:/usr/sbin/mrinfo,/usr/sbin/mtrace pppslip:/usr/sbin/ppp,/usr/sbin/pppd,/usr/sbin/sliplogin timed:/usr/sbin/timedc ping:/usr/sbin/traceroute,/sbin/ping route:/sbin/route shutdown:/sbin/shutdown [-- Attachment #3 --] cu:/usr/bin/cu uucp:/usr/bin/uustat,/usr/libexec/uucp/uucico df:/bin/df kmem:/bin/ps,/sbin/ccdconfig,/sbin/dmesg,/usr/bin/fstat,/usr/bin/ipcs,/usr/bin/netstat,/usr/bin/nfsstat,/usr/bin/systat,/usr/bin/top,/usr/bin/uptime,/usr/bin/vmstat,/usr/bin/w,/usr/sbin/iostat,/usr/sbin/ncrcontrol,/usr/sbin/pstat,/usr/sbin/swapinfo,/usr/sbin/trpt tty:/sbin/dump,/sbin/rdump,/sbin/restore,/sbin/rrestore,/usr/bin/wall,/usr/bin/write lpr:/usr/bin/lpq,/usr/bin/lpr,/usr/bin/lprm,/usr/sbin/lpc games:/usr/games/dm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980418120221.15725B-300000>