Date: Sat, 2 Aug 1997 00:40:50 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Minimum files for operation Message-ID: <Pine.BSF.3.95.970802003537.7520E-100000@alive.znep.com> In-Reply-To: <199706270133.SAA25974@kirk.edmweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jun 1997, Steve wrote: > There was a post to this list briefly explaining the functions of most > of the suid programs... Check the archives for a message from Marc > Slemko, subject "setuid programs in freebsd". It is included below. It is out of date. Some of the comments are not quite right. It is no longer complete. I don't have time to update it and haven't even looked at it for a long time. I was planning a nice menu-driven program to allow people to tighten down the security of their system, but other things came up and those other things will occupy all my spare development time for the forseeable future. $Id: setuid.txt,v 1.3 1996/09/30 03:41:30 marcs Exp marcs $ 7681 240 -r-sr-xr-x 1 uucp bin 110592 Jul 16 20:17 ./usr/bin/cu 7682 152 -r-sr-xr-x 1 uucp bin 77824 Jul 16 20:17 ./usr/bin/uucp 7684 72 -r-sr-xr-x 1 uucp bin 36864 Jul 16 20:17 ./usr/bin/uuname 7687 168 -r-sr-xr-x 1 uucp bin 86016 Jul 16 20:17 ./usr/bin/uustat 7689 160 -r-sr-xr-x 1 uucp bin 81920 Jul 16 20:18 ./usr/bin/uux 99849 400 -r-sr-xr-x 1 uucp bin 196608 Jul 16 20:17 ./usr/libexec/uucp/uucico 99850 176 -r-sr-x--- 1 uucp uucp 90112 Jul 16 20:18 ./usr/libexec/uucp/uuxqt USE: Used by uucp. IMPACT: If you are not using uucp on your system, removing the setuid flag from uucp, uuname, uustat, uux, uuxqt and uucico will have no impact on the functionality of your system. If you use cu for accessing ports, removing the setuid flag may or may not affect its use depending on how use use it. If you are using uucp, there is no easy way, and arguable no need, to remove the setuid flag. COMMENTS: Since they are setuid uucp and not root, a security hole would only result in someone gaining access to the uucp user. If you are using uucp, compromizing the uucp user means that all your uucp traffic can be compromised. If you aren't using uucp, compromising the uucp user means that, on systems using the default permissions for /dev/cua*, access to any serial devices on the systems will be gained. If those devices include modems, long distance phone calls could be made. 7745 576 ---s--x--x 2 root bin 286720 Jul 16 20:21 ./usr/bin/suidperl 7745 576 ---s--x--x 2 root bin 286720 Jul 16 20:21 ./usr/bin/sperl4.036 suidperl and sperl4.036 are both links to the same file. suidperl should be taken to refer to both suidperl and sperl4.036. If you installed perl5, there will also be suidperl and sperl* in /usr/local/bin; the same comments apply to them. USE: suidperl is a part of perl that allows for secure execution of setuid and setgid perl scripts. Traditionally, setuid and setgid scripts have been insecure due to a race condition when executing the script. suidperl provides a workaround. See the perlsec(1) (in perl 5) or perl(1) (in perl 4; under the 'Setuid Scripts' section; the perl 4 man page is quite incomplete in this regard, so you probably want to use the perl5 one) man page for more details. IMPACT: Removing the setuid flag from suidperl will mean that setuid or setgid perl scripts will no longer work. Most people don't use them, so for most people this is of little consequence. COMMENTS: There was a rather large security hole discovered in suidperl soon before the 2.1.5 release that allowed any user to gain root access on many systems with suidperl installed. FreeBSD 2.1.0 was vulerable; 2.1.5 is not. If you are still running a 2.1.0 system and have not fixed suidperl, take the suid flag off suidperl and sperl* immediately and find out more about the problem. Although, as far as anyone knows, suidperl is now secure, I would advise removing the setuid flags from all copies of 'sperl*' and 'suidperl' on your system if you don't use setuid or setgid perl scripts. 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/at 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/atq 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/atrm 7772 40 -r-sr-xr-x 4 root bin 20480 Jul 16 20:28 ./usr/bin/batch at, atq, atrm and batch are links to the same file. USE: Used to schedule jobs in a similar way to cron, except designed more for non-repeating one time jobs. IMPACT: Removing the setuid flag results in users other than root being unable to use at. 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chpass 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chfn 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/chsh 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchpass 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchfn 7782 48 -r-sr-xr-x 6 root bin 24576 Jul 16 20:29 ./usr/bin/ypchsh chpass, chfn, chsh, ypchpass, ypchfn and ypchsh are links to the same file. USE: Used to change various information in the password file. IMPACT: If the setuid flag is removed, users will be unable to change information in the password file. 7836 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/keyinit USE: Used by the S/Key authentication system to initialize the use of S/Key one time passwords for logins. IMPACT: Removing the setuid flag from keyinit means that the S/Key authentication system will no longer be functional on your system. COMMENTS: *** Pointer to S/Key info. *** Does S/Key need to be setuid root? 7843 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/lock USE: Allows the user to 'lock' their terminal from being used until either the given password or login password (depending on command line options) is given or the program times out. IMPACT: *** None?!?! (won't let user use login password to disable) COMMENTS: *** error in source --> no root password 7845 40 -r-sr-xr-x 1 root bin 20480 Jul 16 20:30 ./usr/bin/login USE: Used by many programs in the login name to authenticate by username and password. Can also be used by a user already logged in to get a new login prompt if they wish to login again, possibly as another user. IMPACT: Removing the setuid flag from login results in people who are already logged in being unable to run login to get a new login prompt. For most systems this is not a problem, and many Unixes even ship without login setuid. COMMENT: Although login should be quite secure, and does run as root anyway from programs such as telnetd, removing the setuid flag has so few side effects that it is worthwhile doing if acceptable in your situation. 7868 40 -r-sr-xr-x 2 root bin 20480 Jul 16 20:30 ./usr/bin/passwd 7868 40 -r-sr-xr-x 2 root bin 20480 Jul 16 20:30 ./usr/bin/yppasswd passwd and yppasswd are links to the same file. USE: Allows users to change their password. IMPACT: Removing the setuid flag from passwd means that users will be unable to change their passwords. There are few environments in which this is practical. COMMENTS: This is one of the things that it is reasonable to require a program that is setuid root to do. People interested in increasing the security of user passwords should look at something like ANLpasswd which checks user passwords in an attempt to encourage the user to choose a secure password. *** add pointer to more info 7873 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:30 ./usr/bin/quota USE: Displays information about users' disk usage and limits. IMPACT: Removing the setuid flag means that only users with access to read quota.user on the relevant partition will be able to get quota information. If you aren't using quotas, removing the setuid flag will have no impact on operations. COMMENTS: *** why is it setuid root? why not setgid something? 7875 88 -r-sr-xr-x 1 root bin 45056 Jul 16 20:30 ./usr/bin/rdist USE: rdist is a program that allows for automated remote file distribution. IMPACT: Removing the setuid flag means that only root will be able to use rdist. If you aren't using rdist, removing the setuid flag will have no impact on operations. COMMENTS: There was a rather large security hold discovered in rdist soon before the 2.1.5 release that allowed any user to gain root access on most systems with rdist installed. FreeBSD 2.1.0 is vulnerable; 2.1.5 is not. If you are still running a 2.1.0 system and have not fixed fdist, take the suid flag off rdist immediately and find out more about the problem. Although, as far as anyone knows, the current rdist is secure, I would recommend removing the setuid flag from rdist. If you requre the functionality provided by rdist, there is a rdist-6.1.2 package/port which uses rsh; since it uses rsh and does not call rcmd(3) directly, it does not need to be setuid root. Also note that both versions of rdist use host based security, which has some quite serious flaws. It is possible to make ssh work with the rdist-6.1.2 package; that is strongly recommended if you need to use rdist. 7878 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:30 ./usr/bin/rlogin USE: rlogin allows you to login remotely to a machine over the network. IMPACT: removing the setuid flat from rlogin means that users other than root will be unable to use rlogin to connect to remote hosts. COMMENTS: There was a security hole in rlogin that was patched soon after the 2.1.5 release. I have not investigated it in depth, nor have I heard of any exploits for it, but it is possible that the hole discovered could allow others to gain root access to your system. *** more info, pointer to fixed binary? In many environments, rlogin can not be disabled without having an unacceptable impact on system usability. ** add not on rlogin and host based auth in general? 7882 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:31 ./usr/bin/rsh USE: rsh is similar to rlogin in that it allows remote execution of commands, however rsh can not be used with interactive commands. *** fix up IMPACT: removing the setuid flag from rsh means that users other than root will be unable to use rsh to connect to remote hosts. COMMENTS: In many environments, rsh can not be disabled without having an unacceptable impact on system usability. 7901 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:31 ./usr/bin/su USE: su is used to switch the user you are running as. It can be used by those in group wheel to switch to the root user (uid 0), and by others to switch to other users. Authentication is by password. IMPACT: removing the setuid flag from su means that users other than root will be unable to use su to switch to other users. COMMENTS: In most cases, unless some alternative such as sudo is being used, removing the setuid flag from su is a very bad idea since it means people need to login as root directly to do things requiring superuser privleges. In many environments, an acceptable alternative is to chgrp su to group wheel and take away execute permission to people not in group wheel. This means that while people in group wheel can still use su to switch users, others will be unable to use it. To some, this is viewed as being desirable in itself, regardless of other security improvements that it may make. 7960 48 -r-sr-xr-x 1 root bin 24576 Jul 16 20:33 ./usr/bin/crontab USE: crontab is used by users to edit their crontab files. IMPACT: removing the setuid flag from crontab means that users other than root will be unable to modify their crontabs. COMMENTS: At some sites, local policy is to not let users have their own crontabs. If this is the case, it can be worthwhile to make a seperate group for those users allowed to have crontabs and only allow users in that group to run crontab. 7964 32 -r-sr-sr-x 1 root daemon 16384 Jul 16 20:33 ./usr/bin/lpq 7965 40 -r-sr-sr-x 1 root daemon 20480 Jul 16 20:33 ./usr/bin/lpr 7966 32 -r-sr-sr-x 1 root daemon 16384 Jul 16 20:33 ./usr/bin/lprm USE: All part of the BSD line printer system used for print queueing, both locally and to and from remote hosts. IMPACT: removing the setuid and setgid flags from the above three utilities means that users other than root will be unable to execute them to submit or remove print jobs. There is an associated program called lpc that is setgid daemon and which can be used, by authorized users, to control print queuing. On hosts that do not use this system for print queueing, removing the setuid and setgid flags will have no impact. COMMENTS: Although lpd and associated programs do not have any currently known problems, I hesitate to trust them. There is no real need for such a program to run as root most of the time. If you don't use them, disable them. If you do need the functionality that they provide, I suggest you take a look at LPRng (which originates from PLP). LPRng is a much more secure replacement to lpd and associated programs that also adds numerous features. It is available at ftp://dickory.sdsu.edu/pub/LPRng. 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/bin/newaliases 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/bin/mailq 7967 496 -r-sr-xr-x 3 root bin 245760 Jul 16 20:37 ./usr/sbin/sendmail These three programs are links to the same file. USE: Sendmail is a full featured SMTP transport program. IMPACT: Removing the setuid flags from these programs, without some fairly in-depth other changes, will result in very major problems, even if you aren't connected to the Internet. COMMENTS: *** It's sendmail. smapd, smrsh, other programs to help reduce risk? alternatives? don't run sendmail as daemon if you don't need to recieve mail. *** recent bug fixes 76850 24 -r-sr-xr-x 1 root bin 12288 Jul 16 20:22 ./usr/libexec/mail.local USE: Part of sendmail; used for local mail delivery. IMPACT: Removing the setuid flag from mail.local, without numerous other changes, will result in major problems on your system. COMMENTS: *** related to sendmail, setgid possibilities 65 40 -rwsr-xr-x 1 root bin 20480 Jul 16 20:33 ./usr/sbin/mrinfo 67 56 -rwsr-xr-x 1 root bin 28672 Jul 16 20:33 ./usr/sbin/mtrace USE: Used to debug multicast routing. IMPACT: Removing the setuid flag from mrinfo and mtrace will mean that users other than root will be unable to use these utilities to get information about multicast routing. If you aren't using multicast routing, they can be disabled without problem. COMMENTS: If you don't know what multicast routing is, you almost certainly aren't using it. 91 168 -r-sr-xr-x 1 root bin 86016 Jul 16 20:34 ./usr/sbin/ppp USE: Establish ppp connections using kernel level ppp. IMPACT: Removing the setuid flag results in users other than root being unable to run kernel level ppp. COMMENTS: If you are using user level ppp (see "/usr/sbin/ppp"), disabling kernel level ppp ("pppd") will have no impact on your ppp connections. On many systems that do use pppd, there is no need to have it executable by everyone so restricting execution to a specific group may be appropriate. 92 128 -r-sr-xr-x 1 root bin 65536 Jul 16 20:34 ./usr/sbin/pppd USE: Establishing ppp connections using user level ppp. IMPACT: Removing the setuid flag results in users other than root being unable to run kernel level ppp. COMMENTS: If you are using kernel level ppp (see "/usr/sbin/pppd"), disabling user level ppp will have no impact on your ppp connections. On many systems that do user user level ppp, there is no need to have it executable by everyone so restricting execution to a specific group may be appropriate. Personally, I have some serious (perhaps unfair; I have NOT really looked into to code in depth) concerns about the thought given by the author to security while writing "ppp". These concerns include things such as the suggested login script in the man page (although that may or may not have been suggested by the original author; see PR 1383 for details) and the default of allowing telnet connections to manage the ppp session. *** info on recent bug and fix 108 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:34 ./usr/sbin/sliplogin USE: Establishing a SLIP connection. IMPACT: Removing the setuid flag results in users other than root being unable to properly establish a SLIP connection. COMMENTS: If you don't use slip, take the setuid flag off. There was a security hole in old versions that was fixed as of 1996/04/24; 2.1.0 is vulnerable, 2.1.5 should be fixed. 118 40 -r-sr-xr-x 1 root bin 20480 Jul 16 20:34 ./usr/sbin/timedc USE: Used to control the time daemon timed. IMPACT: Removing the setuid flag results in users other than root being unable to use timedc. timedc is setuid because it needs to bind to a privleged port. If you don't use timedc, timed should work just fine with the setuid flag removed from timed. COMMENTS: This code seems relatively secure since it gets rid of its root privileges right after it binds to the port. 119 32 -r-sr-xr-x 1 root bin 16384 Jul 16 20:34 ./usr/sbin/traceroute USE: Used to trace the route that IP packets follow over a network. Extremely useful for users in many environments. IMPACT: Removing the setuid flag results in users other than root being unable to us traceroute. COMMENTS: There have been some recent security fixes in traceroute, but I am uncertain as to if they fix exploitable holes. *** 207 352 -r-sr-xr-x 1 root bin 172032 Jul 16 20:15 ./bin/rcp USE: Used to copy files across the network. IMPACT: Removing the setuid flag results in users other than root being unable to use rcp. COMMENTS: rcp uses host based security and is vulnerable to things such as IP spoofing. A bad thing to use, not just because of any possible security problems in the binary. ssh is a more secure solution that is worth investigating. 686 384 -r-sr-sr-x 2 root tty 188416 Jul 16 20:23 ./sbin/dump 686 384 -r-sr-sr-x 2 root tty 188416 Jul 16 20:23 ./sbin/rdump dump and rdump are links to the same file. USE: Used for local and network backups. IMPACT: Removing the setuid flag results in users other than root being unable to perform backups of the filesystem. COMMENTS: The idea is that anyone in the 'operator' group is able to do backups without having to be root. This is an ideal candidate for restricting execution by means of group, except for the fact that it has to be setgid tty to allow the 'n' option to work. If you don't use the 'n' option, remove the setgid flag, change it to group operator, and remove the world execute flag. Then only those in the operator group can exploit any security holes that may be there, and since generally they can read from the raw disk device anyway... If it is not setuid root, then local backups can still work as long as the person doing them has access to the raw device file and the dump device, however network backups will not work because rcmd(3) will fail. 717 256 -r-sr-xr-x 1 root bin 118784 Jul 16 20:24 ./sbin/ping USE: ping is used to send icmp echo requests to hosts on the network for the purpose of determining reachability. IMPACT: removing the setuid flag results in users other than root being unable to use ping. COMMENTS: ping is a very useful thing for users, although there are possible denial of service attacks possible, especially with the '-l' option. There have been some potential security holes fixed after 2.1.5 was released, but it appears like none of them are exploitable. Perhaps. 721 416 -r-sr-sr-x 2 root tty 204800 Jul 16 20:24 ./sbin/restore 721 416 -r-sr-sr-x 2 root tty 204800 Jul 16 20:24 ./sbin/rrestore restore and rrestore are links to the same file. USE: Used for local and network restores. IMPACT: same as dump COMMENTS: same as dump 722 272 -r-sr-xr-x 1 root bin 126976 Jul 16 20:24 ./sbin/route USE: route is used to maintain the routing table. IMPACT: removing the setuid flag results in users other than root being unable to access the routing table via route. Normally users can't change routes anyway, so the only thing you loose is 'route get' and 'route monitor'. COMMENTS: minimal impact in most situations if the setuid flag is removed. 726 288 -r-sr-x--- 1 root operator 139264 Jul 16 20:24 ./sbin/shutdown USE: Used to shutdown the system. IMPACT: removing the setuid flag results in users other than root being unable to use shutdown. COMMENTS: it is restricted to execution by those in the operator group anyway, so as long as you are careful about who you put in the operator group there should be little risk. 734 288 -r-sr-xr-x 1 root bin 139264 Jul 16 20:24 ./sbin/mount_msdos USE: Used to mount MS-DOS filesystems. IMPACT: removing the setuid flag results in users other than root being unable to mount DOS filesystems. COMMENTS: I sure don't want users mounting filesystems on my box. While it is true that in some situations it can be useful to allow users to do so, I much prefer mtools if users need access to DOS filesystems. I find it more an issue of stability than security, since I don't trust the FreeBSD DOS filesystem code.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970802003537.7520E-100000>