From owner-freebsd-security Fri Jul 12 22:39:45 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id WAA10120 for security-outgoing; Fri, 12 Jul 1996 22:39:45 -0700 (PDT) Received: from post.io.org (post.io.org [198.133.36.6]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id WAA10111 for ; Fri, 12 Jul 1996 22:39:41 -0700 (PDT) Received: from zap.io.org (taob@zap.io.org [198.133.36.81]) by post.io.org (8.7.5/8.7.3) with SMTP id BAA08892; Sat, 13 Jul 1996 01:39:30 -0400 (EDT) Date: Sat, 13 Jul 1996 01:39:30 -0400 (EDT) From: Brian Tao To: Thomas Ptacek cc: freebsd-security@FreeBSD.org Subject: Re: Permissions In-Reply-To: <199607130019.TAA19991@enteract.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Fri, 12 Jul 1996, Thomas Ptacek wrote: > > Furthermore, the standard rc file turns on lots of stuff I don't want > to see running, like lpd and routed. There are knobs for both lpd and routed/gated in post-2.1 /etc/sysconfig. > The more recent public FreeBSD security problems have been pretty > stupid. Why was mount_union SUID? Almost nobody I know that runs > FreeBSD even knows what unionfs is. Likewise, ppp and sliplogin? All > the UUCP stuff? I'll bet 99% of everyone who installs FreeBSD will > never touch UUCP. Below, I've included a series of commands I run whenever I upgrade one of our public servers. It follows the principle of least privilege: if only root should be running a binary, then it doesn't need to be setuid root, and probably doesn't need group/other execute permissions. Directories that aren't needed are removed, e.g.: no mail is received on the shell servers, so neither /var/mail nor mail.local are needed. Depending on your needs, you may need crontab or the lp system, but I've been able to reduce the number of setuid root binaries to 12 (3 of which are the sendmail/newaliases/mailq hard links) and a bunch of setgid kmem binaries. With the recent crop of root exploits, this kind of policy could have avoided the mount_union, man, suidperl and rdist vulnerabilities. Knowing that you can head off hacking attempts before they happen is worth coming up with a similar policy on your servers. >>>>> cd /sbin ; chmod go-rwx mount_* *dump *restore route shutdown cd /usr/bin ; chmod go-rwx at* batch crontab cu key* *-local logger lp* rdist uucp uulog uuname uupick uusched uustat uuto uux wall cd /usr/sbin ; chmod go-rwx lp* mrinfo mtrace ppp* sliplogin timedc cd /usr/libexec ; chmod go-rwx mail.local cd /sbin ; chmod ug-s mount_* *dump *restore route shutdown cd /usr/bin ; chmod ug-s crontab man rdist suidperl cd /usr/sbin ; chmod ug-s mrinfo mtrace cd /usr/libexec ; chmod ug-s mail.local rmdir /lost+found /usr/lost+found /var/lost+found /usr/local/lost+found /var/mail rm -rf /var/spool/uucp* /usr/libexec/uucp /usr/libexec/lpr /etc/ppp /etc/uucp /etc/gnats /etc/kerberosIV chflags schg /kernel* /lkm/* /bin/* /sbin/* /usr/bin/* /usr/sbin/* /usr/lib/* /usr/libexec/* chflags sappnd /bin /lkm /sbin /stand /usr/bin /usr/include /usr/sbin /usr/lib /usr/libexec <<<<< -- Brian Tao (BT300, taob@io.org, taob@ican.net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"