From owner-freebsd-security Fri Jul 9 10:38:24 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix (phoenix.aye.net [206.185.8.134]) by hub.freebsd.org (Postfix) with SMTP id 964BA15665 for ; Fri, 9 Jul 1999 10:38:21 -0700 (PDT) (envelope-from barrett@phoenix.aye.net) Received: (qmail 3734 invoked by uid 1000); 9 Jul 1999 17:35:16 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Jul 1999 17:35:16 -0000 Date: Fri, 9 Jul 1999 13:35:16 -0400 (EDT) From: Barrett Richardson To: Gustavo V G C Rios Cc: security@freebsd.org, bos-owner-br@sekure.org Subject: Re: suid/guid In-Reply-To: <3784D440.1075EFB3@tdnet.com.br> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Jul 1999, Gustavo V G C Rios wrote: > Which of the following file should i turn off suid/guid bit flag? > I just wanna keep the necessary file tunr on suid/guid! I am surviving with just these and I've recompiled them with a stackguard compiler. I've omitted sendmail from the list because I'm using qmail (it has some suid/guid stuff too). Some of the items in your list are duplicates because they have hard links (passwd and chpass in particular come to mine). I think ps works ok without suid for the most part, just missing some minor bits of information here and there. I probably (at the risk of irritating users and admins alike) could remove suid/guid from w (uptime), traceroute, ping and df. I *could* get by with the bare minimum of passwd, man, login and su (plus an SMTP agent like sendmail or qmail). /usr/bin/passwd /usr/bin/man /usr/bin/chpass /usr/bin/login /usr/bin/su /usr/bin/w /usr/sbin/traceroute /sbin/ping /bin/df /bin/ps - Barrett > > My system is freebsd-3.2Stable > > Here goes them: > > /proc/2965/file > /bin/df > /bin/ps > /bin/rcp > /sbin/ccdconfig > /sbin/dmesg > /sbin/dump > /sbin/rdump > /sbin/ping > /sbin/restore > /sbin/rrestore > /sbin/route > /sbin/shutdown > /usr/bin/cu > /usr/bin/uucp > /usr/bin/uuname > /usr/bin/uustat > /usr/bin/uux > /usr/bin/man > /usr/bin/suidperl > /usr/bin/sperl5.00503 > /usr/bin/at > /usr/bin/atq > /usr/bin/atrm > /usr/bin/batch > /usr/bin/chpass > /usr/bin/chfn > /usr/bin/chsh > /usr/bin/ypchpass > /usr/bin/ypchfn > /usr/bin/ypchsh > /usr/bin/fstat > /usr/bin/ipcs > /usr/bin/keyinfo > /usr/bin/keyinit > /usr/bin/lock > /usr/bin/login > /usr/bin/netstat > /usr/bin/nfsstat > /usr/bin/passwd > /usr/bin/yppasswd > /usr/bin/quota > /usr/bin/rlogin > /usr/bin/rsh > /usr/bin/su > /usr/bin/systat > /usr/bin/top > /usr/bin/vmstat > /usr/bin/w > /usr/bin/uptime > /usr/bin/wall > /usr/bin/write > /usr/bin/crontab > /usr/bin/lpq > /usr/bin/lpr > /usr/bin/lprm > /usr/bin/newaliases > /usr/bin/mailq > /usr/bin/hoststat > /usr/libexec/uucp/uucico > /usr/libexec/uucp/uuxqt > /usr/libexec/mail.local > /usr/local/bin/screen-3.7.6 > /usr/local/bin/skill > /usr/local/bin/snice > /usr/local/bin/icmpinfo > /usr/local/sbin/queso > /usr/sbin/lpc > /usr/sbin/iostat > /usr/sbin/mrinfo > /usr/sbin/mtrace > /usr/sbin/pstat > /usr/sbin/swapinfo > /usr/sbin/sliplogin > /usr/sbin/timedc > /usr/sbin/traceroute > /usr/sbin/trpt > /usr/sbin/sendmail > /usr/sbin/purgestat > /usr/sbin/ppp > /usr/sbin/pppd > /usr/games/dm > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message