[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

suid & guid binaries....



I hope this all makes sense.

There does not seem to be a way to have a transcript simply change the mode bits of a file that is in another transcripts file cache.

Below is a list of binaries with the setuid bit set. This list was created by Adam Herscher <ahersche@xxxxxxxxx> per Andrew Inman's request. Would it be ok to remove the suid & guid bits on the following files and then make the in the appropriate transcript?

If it is not ok to change the mode of these files then is there a server side solution to this issue? These are not desired solutions:

 -Simply reset the modes in a overload which works on the client but then
  the transcript won't lcksum on the server (sixthday) because the file
  doesn't exist in the overload.

 -Coping the files to the overload transcript but that creates a fork of
  binaries.

 -A hard link could be created to the originating transcript file cache
  binaries in overloaded transcript file cache but any time the real file
  changes all transcripts containing the hard linked file need to have
  their checksum changed.

---- suid & guid binaries listing

/bin/mount
/bin/ping
/bin/su
/bin/umount
/sbin/unix_chkpwd
/usr/bin/chsh
/usr/bin/crontab
/usr/bin/gpasswd
/usr/bin/chage
/usr/bin/procmail
/usr/bin/chfn
/usr/bin/lppasswd
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/pt_chown
/usr/bin/at
/usr/bin/expiry
/usr/libexec/ssh-keysign
/usr/local/krb5/bin/ksu
/usr/local/krb5/bin/v4rcp
/usr/local/kde/bin/fileshareset
/usr/local/kde/bin/kcheckpass
/usr/local/kde/bin/kgrantpty
/usr/local/kde/bin/kpac_dhcp_helper
/usr/local/mit-k5-1.3.4/bin/ksu
/usr/local/mit-k5-1.3.4/bin/v4rcp
/usr/sbin/ssh-keysign
/usr/sbin/mtr
/usr/sbin/rscsi
/usr/sbin/sendmail
/usr/sbin/traceroute
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/xterm

According Adam Herscher, Chris Wing over at CAEN (wingc@xxxxxxxxx) has said they've removed the suid bit from all but the following binaries on their linux login systems without problem:

	/usr/bin/newgrp
	/bin/su
	/bin/ping
	/sbin/unix_chkpwd	[ part of PAM, this checks shadow
				passwords for non-root apps. It could
				probably be disabled since we use
				Kerberos ]

We should probably do the same. Otherwise, security vulnerabilities in individual packages become root exploits.

Same goes for setgid binaries:

/usr/bin/write
/usr/bin/procmail
/usr/bin/lockfile
/usr/local/kde/bin/kdesud
/usr/local/nmh/bin/inc

Thought or comments?

!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!"!
Allen Bailey
The University of Michigan            |  http://www.umich.edu/~akbailey
ITCS Contract Services/GPCC           |  fax: 734-936-4919
akbailey@xxxxxxxxx                    |  cellphone: 734-355-9332