From owner-freebsd-security Mon Jul 15 12:14:34 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA02678 for security-outgoing; Mon, 15 Jul 1996 12:14:34 -0700 (PDT) Received: from scapa.cs.ualberta.ca (root@scapa.cs.ualberta.ca [129.128.4.44]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id MAA02672 for ; Mon, 15 Jul 1996 12:14:29 -0700 (PDT) Received: from ve6kik by scapa.cs.ualberta.ca with UUCP id <13072-207>; Mon, 15 Jul 1996 13:14:09 -0700 Received: from alive.ampr.ab.ca by ve6kik.ampr.ab.ca with uucp (Smail3.1.28.1 #5) id m0ufsE9-000OIkC; Mon, 15 Jul 96 12:18 WET DST Received: by alive.ampr.ab.ca (Linux Smail3.1.29.1 #2) id m0ufrXi-000294C; Mon, 15 Jul 96 11:34 MDT Date: Mon, 15 Jul 1996 11:34:45 -0600 (MDT) From: Marc Slemko To: freebsd-security@FreeBSD.ORG Subject: Re: Minimal SUID/SGID programs list? (was: Re: New EXPLOIT located!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 15 Jul 1996, Brandon Gillespie wrote: > Does anybody have a list of the minimal SUID/SGID programs needed? I > could easilly start removing bits everywhere, but the server I would like > to do it on needs to stay UP without problems.. I can go back later and > set the programs I need personally back to suid, but what does the OS need? You can have a reasonably useful system with 0 setuid programs, although a few setuid wrappers would probably make life a little happier. For most programs, taking the setuid flag off simply reduces or eliminates the functionality of the program. For some programs, that isn't a big deal since you can either just run them as root or not use them. sendmail is one of the harder programs to fiddle with so it doesn't run as root, since it actually requires thinking, but it is certainly possible. Getting rid of setgid programs can start cutting into useful utilities more, although there is little risk in having things like write setgid tty. The group of setgid programs that are the hardest to get rid of are those like ps that need access to kmem to work. I think the reason that all these programs are installed setuid by default is that every situation is different, and there are no programs which are not 'needed' by someone. This is a reasonable idea, and perhaps it is reasonable to have all programs installed in fully functional states, even if that means having them setuid or setgid. I am thinking about the idea of an interactive setup script which would display information about each setgid/setuid program, what it is used for, what happens if the setuid/setgid flag is taken off, etc. This script could then be run at setup time for initial configuration, or later for reconfiguration, and let the novice user reduce the security risks of setuid and setgid programs on their system. It is easy for people who know what they are doing to come up with a customized script that they can run on their systems, but most people don't have this ability. Consider how many serious security holes have been found in setuid programs recently. Then think of how many systems don't use most, or even all, of those programs. The concept of simply disabling things you don't need isn't new or complicated, but I don't see it being done by most people. If no one else gets there first, I may be able to find the time to start on such a script myself. -- Marc Slemko 1:342/1003@fidonet marcs@alive.ampr.ab.ca marcs@alive.ersys.edmonton.ab.ca