From owner-freebsd-questions@FreeBSD.ORG Sat Jul 26 16:32:41 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17C2237B401 for ; Sat, 26 Jul 2003 16:32:41 -0700 (PDT) Received: from out001.verizon.net (out001pub.verizon.net [206.46.170.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BB1343FB1 for ; Sat, 26 Jul 2003 16:32:40 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([141.149.47.46]) by out001.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030726233239.MQZM12592.out001.verizon.net@mac.com> for ; Sat, 26 Jul 2003 18:32:39 -0500 Message-ID: <3F230F97.2010209@mac.com> Date: Sat, 26 Jul 2003 19:32:39 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 Cc: FreeBSD Questions References: <00a201c35398$ed1de680$3501a8c0@pro.sk> In-Reply-To: <00a201c35398$ed1de680$3501a8c0@pro.sk> X-Enigmail-Version: 0.76.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out001.verizon.net from [141.149.47.46] at Sat, 26 Jul 2003 18:32:39 -0500 Subject: Re: suid bit files and securing FreeBSD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Jul 2003 23:32:41 -0000 Peter Rosa wrote: [ ... ] > I'm looking for an exact list of files, which: > 1. MUST have... > 2. HAVE FROM BSD INSTALLATION... > 3. DO NOT NEED... > 4. NEVER MAY... > ...the suid-bit set. > > Of course, it's no problem to find-out which files ALREADY HAS > suid-bit set. But what files REALLY MUST have it ? The files which ship setuid "REALLY MUST" have the setuid-bit for the underlying programs to work normally for a non-root user. If you don't care about non-root users having a normal environment, you can probably remove the setuid-bit from every program. [ Things like 'su' won't function, nor will 'ping', any utility like ps, netstat, etc which grovel in kernel data structures, etc. ] > I know generalities, as e.g. shell should never have suid bit set, > but what if someone has copied any shell to some other location > and have set the suid bit ? It's security hole, isn't it ? Yes. > And what if I have more such files on my machine ? You would have more security holes. > It is not about my machine has been compromited, it is only WHAT IF... > > -------------------------------------------- > > Second question is: Has anybody an exact wizard, how to secure > the FreeBSD machine. Imagine the situation, the only person who > can do anything on that machine is me, and nobody other. I have > set very restrictive firewalling, I have removed ALL tty's except > two local tty's (I need to work on that machine), but there are > still open port 25 and 53 (must be forever), so someone very > tricky can compromite my machine. Disconnect the machine from the network and lock it in a vault: that's a secure system. If you can't do that, say because you need to run network services on this system, then you need to stay up-to-date with regard to those services, and upgrade or apply patches as appropriate, ie, if a security hole is announced. Contorting the system in the fashion you describe gives little security benefit. -- -Chuck