Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Dec 1999 15:05:51 -0500 (EST)
From:      Spidey <beaupran@iro.umontreal.ca>
To:        Mike Tancsa <mike@sentex.net>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: setuid revisited (was Re: From BugTraq - FreeBSD 3.3 xsoldier root exploit (fwd) )
Message-ID:  <14425.17951.786660.581622@anarcat.dyndns.org>
References:  <14425.12035.757889.422296@anarcat.dyndns.org> <199912160615.XAA69151@harmony.village.org> <Pine.BSF.3.96.991216091552.26813A-100000@fledge.watson.org> <199912161828.LAA72864@harmony.village.org> <3.0.5.32.19991216143031.0192ae30@staff.sentex.ca>

next in thread | previous in thread | raw e-mail | index | archive | help

As I mentionned before, I wrote a file in the mtree syntax that can be
used to update perms to your taste. You just modify the file to your
liking, and run mtree with it.

http://www.iro.umontreal.ca/~beaupran/FreeBSD/setugid.txt

Try it. You'll like it. :))

--- Big Brother told Mike Tancsa to write, at 14:30 of December 16:
> At 01:37 PM 12/16/99 -0500, Spidey wrote:
> >Yes. Since I've been looking at setuid's on FBSD, my primary concern's
> >been with the ports. I wished there could be some way to have a
> >variable in the Makefiles that say "NOSETUID=YES". :))
> 
> 
> Even the main tree seems a big permissive for some applications (in my
> case, an ISP).  There are a few things I disable each time I make world on
> my shell and web server.  What would be the best way to automate this and
> give other people an easy way to disable unresitricted access easily to
> potentially dangerous programs ?  e.g. looking through
> /var/log/setuid.today some of the files that look like a candidate for
> chmod o-x are
> 
> 
> -r-xr-sr-x  1 root  kmem      100148 Dec 14 00:02:03 1999 /sbin/ccdconfig
> -r-xr-sr-x  2 root  tty       221752 Dec 14 00:02:05 1999 /sbin/dump
> -r-xr-sr-x  2 root  tty       221752 Dec 14 00:02:05 1999 /sbin/rdump
> -r-xr-sr-x  2 root  tty       244920 Dec 14 00:02:20 1999 /sbin/restore
> -r-sr-xr-x  1 root  wheel     153760 Dec 14 00:02:21 1999 /sbin/route
> -r-xr-sr-x  2 root  tty       244920 Dec 14 00:02:20 1999 /sbin/rrestore
> -r-sr-xr-x  5 root  wheel   290448 Dec 14 00:04:32 1999 /usr/bin/hoststat
> -r-sr-sr-x  1 root  daemon   18064 Dec 14 00:04:12 1999 /usr/bin/lpq
> -r-sr-sr-x  1 root  daemon   20864 Dec 14 00:04:12 1999 /usr/bin/lpr
> -r-sr-sr-x  1 root  daemon   17624 Dec 14 00:04:13 1999 /usr/bin/lprm
> -r-s--x--x  1 root  wheel      47448 Apr 26 00:34:25 1999
> /usr/bin/sperl5.00502
> -r-s--x--x  2 root  wheel    47472 Dec 14 00:01:28 1999 /usr/bin/sperl5.00503
> -r-s--x--x  2 root  wheel      47472 Dec 14 00:01:28 1999 /usr/bin/suidperl
> -r-xr-sr-x  1 root  kmem     52424 Dec 14 00:03:47 1999 /usr/bin/systat
> -r-xr-sr-x  1 root  kmem     14536 Dec 14 00:03:54 1999 /usr/bin/vmstat
> -r-xr-sr-x  2 root  kmem     10576 Dec 14 00:03:54 1999 /usr/bin/w
> -r-xr-sr-x  1 root  tty       8108 Dec 14 00:03:54 1999 /usr/bin/wall
> -r-xr-sr-x  1 root      games      6188 Dec 13 23:59:52 1999 /usr/games/dm
> -rwxr-sr-x  1 root  kmem     88160 Mar 18 21:39:54 1999 /usr/local/sbin/lsof
> -r-xr-sr-x  1 root      kmem       9472 Dec 14 00:04:09 1999 /usr/sbin/iostat
> -r-xr-sr-x  1 root      daemon    23968 Dec 14 00:04:12 1999 /usr/sbin/lpc
> -r-sr-xr-x  1 root      wheel     14528 Dec 14 00:04:15 1999 /usr/sbin/mrinfo
> -r-sr-xr-x  1 root      wheel     27528 Dec 14 00:04:15 1999 /usr/sbin/mtrace
> -r-xr-sr-x  2 root      kmem      13184 Dec 14 00:04:20 1999 /usr/sbin/pstat
> -r-sr-xr-x  5 root      wheel    290448 Dec 14 00:04:32 1999
> /usr/sbin/purgestat
> -r-sr-x---  1 root      network    9768 Dec 14 00:04:22 1999
> /usr/sbin/sliplogin
> -r-xr-sr-x  2 root      kmem      13184 Dec 14 00:04:20 1999
> /usr/sbin/swapinfo
> -r-sr-xr-x  1 root      wheel     13440 Dec 14 00:04:24 1999 /usr/sbin/timedc
> -r-xr-sr-x  1 root      kmem       7036 Dec 14 00:04:25 1999 /usr/sbin/trpt
> 
> 
> 
> Things like the printer control for example... If you dont have printing
> services, why bother with the control programs.  Similarly, I dont think my
> users need access to vmstat or any of the backup programs, local or remote.
>  If a program were to be created to track these files, and suggest to the
> end user a method to disabling +o access, what would be the best way to go
> about designing it ?  Should it just read the contents of
> /var/log/setuid.today ? 
> 
> 
> I like Robert's idea of the 
> 
> HAS_MISC_SET_ID= {yes,no}
> HAS_ROOT_SETUID= {yes,no}
> 
> for the ports, although I would say give it a month or so before marking
> anyhing broken.
> 
> 	---Mike
> ------------------------------------------------------------------------
> Mike Tancsa,                          	          tel +1 519 651 3400
> Network Administrator,     			  mike@sentex.net
> Sentex Communications                 		  www.sentex.net
> Cambridge, Ontario Canada
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- 
Si l'image donne l'illusion de savoir
C'est que l'adage pretend que pour croire,
L'important ne serait que de voir

Lofofora


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14425.17951.786660.581622>