Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 2 Aug 1997 00:40:50 -0600 (MDT)
From:      Marc Slemko <marcs@znep.com>
To:        freebsd-security@FreeBSD.ORG
Subject:   Re: Minimum files for operation 
Message-ID:  <Pine.BSF.3.95.970802003537.7520E-100000@alive.znep.com>
In-Reply-To: <199706270133.SAA25974@kirk.edmweb.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jun 1997, Steve wrote:

> There was a post to this list briefly explaining the functions of most
> of the suid programs... Check the archives for a message from Marc
> Slemko, subject "setuid programs in freebsd". 

It is included below.  It is out of date.  Some of the comments
are not quite right.  It is no longer complete.  I don't have time to
update it and haven't even looked at it for a long time.  I was planning a
nice menu-driven program to allow people to tighten down the security of
their system, but other things came up and those other things will occupy
all my spare development time for the forseeable future.

$Id: setuid.txt,v 1.3 1996/09/30 03:41:30 marcs Exp marcs $


  7681  240 -r-sr-xr-x    1 uucp     bin        110592 Jul 16 20:17 ./usr/bin/cu
  7682  152 -r-sr-xr-x    1 uucp     bin         77824 Jul 16 20:17 ./usr/bin/uucp
  7684   72 -r-sr-xr-x    1 uucp     bin         36864 Jul 16 20:17 ./usr/bin/uuname
  7687  168 -r-sr-xr-x    1 uucp     bin         86016 Jul 16 20:17 ./usr/bin/uustat
  7689  160 -r-sr-xr-x    1 uucp     bin         81920 Jul 16 20:18 ./usr/bin/uux
 99849  400 -r-sr-xr-x    1 uucp     bin        196608 Jul 16 20:17 ./usr/libexec/uucp/uucico
 99850  176 -r-sr-x---    1 uucp     uucp        90112 Jul 16 20:18 ./usr/libexec/uucp/uuxqt


USE: Used by uucp.  

IMPACT: If you are not using uucp on your system, removing the setuid
flag from uucp, uuname, uustat, uux, uuxqt and uucico will have no
impact on the functionality of your system.  If you use cu for accessing
ports, removing the setuid flag may or may not affect its use depending
on how use use it.  If you are using uucp, there is no easy way, and
arguable no need, to remove the setuid flag.

COMMENTS: Since they are setuid uucp and not root, a security hole would
only result in someone gaining access to the uucp user.  If you are
using uucp, compromizing the uucp user means that all your uucp traffic
can be compromised.  If you aren't using uucp, compromising the uucp
user means that, on systems using the default permissions for /dev/cua*,
access to any serial devices on the systems will be gained.  If those
devices include modems, long distance phone calls could be made.


  7745  576 ---s--x--x    2 root     bin        286720 Jul 16 20:21 ./usr/bin/suidperl
  7745  576 ---s--x--x    2 root     bin        286720 Jul 16 20:21 ./usr/bin/sperl4.036

suidperl and sperl4.036 are both links to the same file.  suidperl
should be taken to refer to both suidperl and sperl4.036.  If you
installed perl5, there will also be suidperl and sperl* in
/usr/local/bin; the same comments apply to them.

USE: suidperl is a part of perl that allows for secure execution of
setuid and setgid perl scripts.  Traditionally, setuid and setgid
scripts have been insecure due to a race condition when executing the
script.  suidperl provides a workaround.  See the perlsec(1) (in perl 5)
or perl(1) (in perl 4; under the 'Setuid Scripts' section; the perl 4
man page is quite incomplete in this regard, so you probably want to use
the perl5 one) man page for more details.

IMPACT: Removing the setuid flag from suidperl will mean that setuid or
setgid perl scripts will no longer work.  Most people don't use them,
so for most people this is of little consequence.

COMMENTS: There was a rather large security hole discovered in
suidperl soon before the 2.1.5 release that allowed any user to gain
root access on many systems with suidperl installed.  FreeBSD 2.1.0
was vulerable; 2.1.5 is not.  If you are still running a 2.1.0 system
and have not fixed suidperl, take the suid flag off suidperl and sperl* 
immediately and find out more about the problem.  Although, as far as
anyone knows, suidperl is now secure, I would advise removing the
setuid flags from all copies of 'sperl*' and 'suidperl' on your system
if you don't use setuid or setgid perl scripts.

  7772   40 -r-sr-xr-x    4 root     bin         20480 Jul 16 20:28 ./usr/bin/at
  7772   40 -r-sr-xr-x    4 root     bin         20480 Jul 16 20:28 ./usr/bin/atq
  7772   40 -r-sr-xr-x    4 root     bin         20480 Jul 16 20:28 ./usr/bin/atrm
  7772   40 -r-sr-xr-x    4 root     bin         20480 Jul 16 20:28 ./usr/bin/batch

at, atq, atrm and batch are links to the same file.

USE: Used to schedule jobs in a similar way to cron, except designed more
for non-repeating one time jobs.

IMPACT: Removing the setuid flag results in users other than root being 
unable to use at.


  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/chpass
  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/chfn
  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/chsh
  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/ypchpass
  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/ypchfn
  7782   48 -r-sr-xr-x    6 root     bin         24576 Jul 16 20:29 ./usr/bin/ypchsh

chpass, chfn, chsh, ypchpass, ypchfn and ypchsh are links to the same file.

USE: Used to change various information in the password file.

IMPACT: If the setuid flag is removed, users will be unable to change
information in the password file.


  7836   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:30 ./usr/bin/keyinit

USE: Used by the S/Key authentication system to initialize the use of
S/Key one time passwords for logins.

IMPACT: Removing the setuid flag from keyinit means that the S/Key
authentication system will no longer be functional on your system.  

COMMENTS: *** Pointer to S/Key info.  *** Does S/Key need to be setuid
root?

  7843   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:30 ./usr/bin/lock

USE: Allows the user to 'lock' their terminal from being used until
either the given password or login password (depending on command line
options) is given or the program times out.  

IMPACT: *** None?!?! (won't let user use login password to disable)

COMMENTS: *** error in source --> no root password

  7845   40 -r-sr-xr-x    1 root     bin         20480 Jul 16 20:30 ./usr/bin/login

USE: Used by many programs in the login name to authenticate by
username and password.  Can also be used by a user already logged in
to get a new login prompt if they wish to login again, possibly as
another user.

IMPACT: Removing the setuid flag from login results in people who are
already logged in being unable to run login to get a new login prompt.
For most systems this is not a problem, and many Unixes even ship
without login setuid.

COMMENT: Although login should be quite secure, and does run as root
anyway from programs such as telnetd, removing the setuid flag has so
few side effects that it is worthwhile doing if acceptable in your
situation.

  7868   40 -r-sr-xr-x    2 root     bin         20480 Jul 16 20:30 ./usr/bin/passwd
  7868   40 -r-sr-xr-x    2 root     bin         20480 Jul 16 20:30 ./usr/bin/yppasswd

passwd and yppasswd are links to the same file.

USE: Allows users to change their password.

IMPACT: Removing the setuid flag from passwd means that users will be
unable to change their passwords.  There are few environments in which
this is practical.  

COMMENTS: This is one of the things that it is reasonable to require a
program that is setuid root to do.  People interested in increasing
the security of user passwords should look at something like ANLpasswd
which checks user passwords in an attempt to encourage the user to
choose a secure password.  *** add pointer to more info

  7873   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:30 ./usr/bin/quota

USE: Displays information about users' disk usage and limits.

IMPACT: Removing the setuid flag means that only users with access to
read quota.user on the relevant partition will be able to get quota
information.  If you aren't using quotas, removing the setuid flag
will have no impact on operations.

COMMENTS: *** why is it setuid root?  why not setgid something?

  7875   88 -r-sr-xr-x    1 root     bin         45056 Jul 16 20:30 ./usr/bin/rdist

USE: rdist is a program that allows for automated remote file
distribution.  

IMPACT: Removing the setuid flag means that only root will be able to
use rdist.  If you aren't using rdist, removing the setuid flag will
have no impact on operations.

COMMENTS: There was a rather large security hold discovered in rdist
soon before the 2.1.5 release that allowed any user to gain root
access on most systems with rdist installed.  FreeBSD 2.1.0 is
vulnerable; 2.1.5 is not.  If you are still running a 2.1.0 system and
have not fixed fdist, take the suid flag off rdist immediately and
find out more about the problem.  Although, as far as anyone knows,
the current rdist is secure, I would recommend removing the setuid
flag from rdist.  If you requre the functionality provided by rdist,
there is a rdist-6.1.2 package/port which uses rsh; since it uses rsh
and does not call rcmd(3) directly, it does not need to be setuid
root.  Also note that both versions of rdist use host based security,
which has some quite serious flaws.  It is possible to make ssh work
with the rdist-6.1.2 package; that is strongly recommended if you need
to use rdist.

  7878   32 -r-sr-xr-x    1 root     bin         16384 Jul 16 20:30 ./usr/bin/rlogin

USE: rlogin allows you to login remotely to a machine over the
network.  

IMPACT: removing the setuid flat from rlogin means that users other
than root will be unable to use rlogin to connect to remote hosts.  

COMMENTS: There was a security hole in rlogin that was patched soon
after the 2.1.5 release.  I have not investigated it in depth, nor
have I heard of any exploits for it, but it is possible that the hole
discovered could allow others to gain root access to your system.  ***
more info, pointer to fixed binary?  In many environments, rlogin can
not be disabled without having an unacceptable impact on system
usability.  ** add not on rlogin and host based auth in general?

  7882   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:31 ./usr/bin/rsh

USE: rsh is similar to rlogin in that it allows remote execution of
commands, however rsh can not be used with interactive commands. ***
fix up

IMPACT: removing the setuid flag from rsh means that users other than
root will be unable to use rsh to connect to remote hosts.

COMMENTS: In many environments, rsh can not be disabled without having
an unacceptable impact on system usability.

  7901   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:31 ./usr/bin/su

USE: su is used to switch the user you are running as.  It can be used
by those in group wheel to switch to the root user (uid 0), and by
others to switch to other users.  Authentication is by password.

IMPACT: removing the setuid flag from su means that users other than
root will be unable to use su to switch to other users.  

COMMENTS: In most cases, unless some alternative such as sudo is being
used, removing the setuid flag from su is a very bad idea since it
means people need to login as root directly to do things requiring
superuser privleges.  In many environments, an acceptable alternative
is to chgrp su to group wheel and take away execute permission to
people not in group wheel.  This means that while people in group
wheel can still use su to switch users, others will be unable to use
it.  To some, this is viewed as being desirable in itself, regardless
of other security improvements that it may make.

  7960   48 -r-sr-xr-x    1 root     bin         24576 Jul 16 20:33 ./usr/bin/crontab

USE: crontab is used by users to edit their crontab files.

IMPACT: removing the setuid flag from crontab means that users other
than root will be unable to modify their crontabs.  

COMMENTS: At some sites, local policy is to not let users have their
own crontabs.  If this is the case, it can be worthwhile to make a
seperate group for those users allowed to have crontabs and only allow
users in that group to run crontab.  

  7964   32 -r-sr-sr-x    1 root     daemon      16384 Jul 16 20:33 ./usr/bin/lpq
  7965   40 -r-sr-sr-x    1 root     daemon      20480 Jul 16 20:33 ./usr/bin/lpr
  7966   32 -r-sr-sr-x    1 root     daemon      16384 Jul 16 20:33 ./usr/bin/lprm

USE: All part of the BSD line printer system used for print queueing,
both locally and to and from remote hosts.

IMPACT: removing the setuid and setgid flags from the above three
utilities means that users other than root will be unable to execute them
to submit or remove print jobs.  There is an associated program called
lpc that is setgid daemon and which can be used, by authorized users,
to control print queuing.  On hosts that do not use this system for
print queueing, removing the setuid and setgid flags will have no
impact.

COMMENTS: Although lpd and associated programs do not have any
currently known problems, I hesitate to trust them.  There is no real 
need for such a program to run as root most of the time.  If you don't use
them, disable them.  If you do need the functionality that they
provide, I suggest you take a look at LPRng (which originates from
PLP).  LPRng is a much more secure replacement to lpd and associated
programs that also adds numerous features.  It is available at
ftp://dickory.sdsu.edu/pub/LPRng.


  7967  496 -r-sr-xr-x    3 root     bin        245760 Jul 16 20:37 ./usr/bin/newaliases
  7967  496 -r-sr-xr-x    3 root     bin        245760 Jul 16 20:37 ./usr/bin/mailq
  7967  496 -r-sr-xr-x    3 root     bin        245760 Jul 16 20:37 ./usr/sbin/sendmail

These three programs are links to the same file.

USE: Sendmail is a full featured SMTP transport program.

IMPACT: Removing the setuid flags from these programs, without some
fairly in-depth other changes, will result in very major problems,
even if you aren't connected to the Internet.  

COMMENTS: *** It's sendmail.  smapd, smrsh, other programs to help
reduce risk?  alternatives?  don't run sendmail as daemon if you don't
need to recieve mail. *** recent bug fixes

 76850   24 -r-sr-xr-x    1 root     bin         12288 Jul 16 20:22 ./usr/libexec/mail.local

USE: Part of sendmail; used for local mail delivery.

IMPACT: Removing the setuid flag from mail.local, without numerous
other changes, will result in major problems on your system.  

COMMENTS: *** related to sendmail, setgid possibilities

    65   40 -rwsr-xr-x    1 root     bin         20480 Jul 16 20:33 ./usr/sbin/mrinfo
    67   56 -rwsr-xr-x    1 root     bin         28672 Jul 16 20:33 ./usr/sbin/mtrace

USE: Used to debug multicast routing.

IMPACT: Removing the setuid flag from mrinfo and mtrace will mean that
users other than root will be unable to use these utilities to get
information about multicast routing.  If you aren't using multicast
routing, they can be disabled without problem.

COMMENTS: If you don't know what multicast routing is, you almost
certainly aren't using it.

    91  168 -r-sr-xr-x    1 root     bin         86016 Jul 16 20:34 ./usr/sbin/ppp

USE: Establish ppp connections using kernel level ppp.

IMPACT: Removing the setuid flag results in users other than root
being unable to run kernel level ppp.

COMMENTS: If you are using user level ppp (see "/usr/sbin/ppp"),
disabling kernel level ppp ("pppd") will have no impact on your ppp
connections.  On many systems that do use pppd, there is no need to
have it executable by everyone so restricting execution to a specific
group may be appropriate.

    92  128 -r-sr-xr-x    1 root     bin         65536 Jul 16 20:34 ./usr/sbin/pppd

USE: Establishing ppp connections using user level ppp.

IMPACT: Removing the setuid flag results in users other than root
being unable to run kernel level ppp.

COMMENTS: If you are using kernel level ppp (see "/usr/sbin/pppd"),
disabling user level ppp will have no impact on your ppp connections.
On many systems that do user user level ppp, there is no need to have it
executable by everyone so restricting execution to a specific group may
be appropriate.  Personally, I have some serious (perhaps unfair; I have
NOT really looked into to code in depth) concerns about the thought
given by the author to security while writing "ppp".  These concerns
include things such as the suggested login script in the man page
(although that may or may not have been suggested by the original
author; see PR 1383 for details) and the default of allowing telnet
connections to manage the ppp session.  *** info on recent bug and fix

   108   32 -r-sr-xr-x    1 root     bin         16384 Jul 16 20:34 ./usr/sbin/sliplogin

USE: Establishing a SLIP connection.

IMPACT: Removing the setuid flag results in users other than root being 
unable to properly establish a SLIP connection.

COMMENTS: If you don't use slip, take the setuid flag off.  There was a 
security hole in old versions that was fixed as of 1996/04/24; 2.1.0 is
vulnerable, 2.1.5 should be fixed.


   118   40 -r-sr-xr-x    1 root     bin         20480 Jul 16 20:34 ./usr/sbin/timedc

USE: Used to control the time daemon timed.  

IMPACT: Removing the setuid flag results in users other than root being
unable to use timedc.  timedc is setuid because it needs to bind to a 
privleged port.  If you don't use timedc, timed should work just fine
with the setuid flag removed from timed.

COMMENTS: This code seems relatively secure since it gets rid of its root
privileges right after it binds to the port.

   119   32 -r-sr-xr-x    1 root     bin         16384 Jul 16 20:34 ./usr/sbin/traceroute

USE: Used to trace the route that IP packets follow over a network.  
Extremely useful for users in many environments.

IMPACT: Removing the setuid flag results in users other than root being
unable to us traceroute.

COMMENTS: There have been some recent security fixes in traceroute, but
I am uncertain as to if they fix exploitable holes.  *** 

   207  352 -r-sr-xr-x    1 root     bin        172032 Jul 16 20:15 ./bin/rcp

USE: Used to copy files across the network.

IMPACT: Removing the setuid flag results in users other than root being
unable to use rcp.

COMMENTS: rcp uses host based security and is vulnerable to things such
as IP spoofing.  A bad thing to use, not just because of any possible
security problems in the binary.  ssh is a more secure solution that is 
worth investigating.

   686  384 -r-sr-sr-x    2 root     tty        188416 Jul 16 20:23 ./sbin/dump
   686  384 -r-sr-sr-x    2 root     tty        188416 Jul 16 20:23 ./sbin/rdump

dump and rdump are links to the same file.

USE: Used for local and network backups.

IMPACT: Removing the setuid flag results in users other than root being 
unable to perform backups of the filesystem.

COMMENTS: The idea is that anyone in the 'operator' group is able to do
backups without having to be root.  This is an ideal candidate for 
restricting execution by means of group, except for the fact that it has
to be setgid tty to allow the 'n' option to work.  If you don't use the
'n' option, remove the setgid flag, change it to group operator, and remove
the world execute flag.  Then only those in the operator group can exploit
any security holes that may be there, and since generally they can read
from the raw disk device anyway...  If it is not setuid root, then local
backups can still work as long as the person doing them has access to the
raw device file and the dump device, however network backups will not work
because rcmd(3) will fail.


   717  256 -r-sr-xr-x    1 root     bin        118784 Jul 16 20:24 ./sbin/ping

USE: ping is used to send icmp echo requests to hosts on the network
for the purpose of determining reachability.  

IMPACT: removing the setuid flag results in users other than root being
unable to use ping.

COMMENTS: ping is a very useful thing for users, although there are possible
denial of service attacks possible, especially with the '-l' option.  There
have been some potential security holes fixed after 2.1.5 was released,
but it appears like none of them are exploitable.  Perhaps.

   721  416 -r-sr-sr-x    2 root     tty        204800 Jul 16 20:24 ./sbin/restore
   721  416 -r-sr-sr-x    2 root     tty        204800 Jul 16 20:24 ./sbin/rrestore

restore and rrestore are links to the same file.

USE: Used for local and network restores.

IMPACT: same as dump

COMMENTS: same as dump

   722  272 -r-sr-xr-x    1 root     bin        126976 Jul 16 20:24 ./sbin/route

USE: route is used to maintain the routing table.

IMPACT: removing the setuid flag results in users other than root being 
unable to access the routing table via route.  Normally users can't 
change routes anyway, so the only thing you loose is 'route get' and
'route monitor'.  

COMMENTS: minimal impact in most situations if the setuid flag is removed.

   726  288 -r-sr-x---    1 root     operator   139264 Jul 16 20:24 ./sbin/shutdown

USE: Used to shutdown the system.

IMPACT: removing the setuid flag results in users other than root being
unable to use shutdown.  

COMMENTS: it is restricted to execution by those in the operator group 
anyway, so as long as you are careful about who you put in the operator
group there should be little risk.

   734  288 -r-sr-xr-x    1 root     bin        139264 Jul 16 20:24 ./sbin/mount_msdos

USE: Used to mount MS-DOS filesystems.

IMPACT: removing the setuid flag results in users other than root being
unable to mount DOS filesystems.

COMMENTS: I sure don't want users mounting filesystems on my box.  While
it is true that in some situations it can be useful to allow users to
do so, I much prefer mtools if users need access to DOS filesystems.
I find it more an issue of stability than security, since I don't trust
the FreeBSD DOS filesystem code.





Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.970802003537.7520E-100000>