You are not logged in.
Hello.
Scrubbing SUIDs and SGIDs has been a perennial security recommendation for Linux. Recently I ran:
find / ( -perm -4000 -o -perm -2000 ) -exec ls -ldb {} ;
on one of Arch Linux machines which resulted in finding 43 SUIDs and SGIDs:
-r-sr-xr-x 1 root root 19848 Jul 1 13:19 /bin/su
-rwsr-xr-x 1 root root 31024 Jun 10 09:32 /bin/ping
-rwsr-xr-x 1 root root 64816 May 13 19:15 /bin/mount
-rwsr-xr-x 1 root root 26832 Jun 10 09:32 /bin/ping6
-rwsr-xr-x 1 root root 31908 May 13 19:15 /bin/umount
-rwsr-xr-x 1 root root 544452 Jun 7 06:27 /opt/kde/bin/kppp
-rwsr-xr-x 1 root root 10341 Jan 17 2004 /opt/kde/bin/fileshareset
-rwsr-xr-x 1 root root 5188 Jun 6 19:54 /opt/kde/bin/kgrantpty
-rwxr-sr-x 1 root 1003 52152 Jun 6 21:07 /opt/kde/bin/kdesud
-rwsr-xr-x 1 root root 10368 Jun 6 21:07 /opt/kde/bin/kcheckpass
-rwsr-xr-x 1 root root 5356 Jun 6 19:54 /opt/kde/bin/kpac_dhcp_helper
-rwsr-xr-x 1 root root 28444 Jul 1 12:58 /usr/bin/chfn
-rwsr-xr-x 1 root root 24368 Jul 1 12:58 /usr/bin/chsh
-rwxr-sr-x 1 root mail 78200 Sep 4 2002 /usr/bin/mail
---s--x--x 1 root root 85800 Jun 21 2003 /usr/bin/sudo
-rwsr-xr-x 1 daemon daemon 8480 Jul 21 14:16 /usr/bin/lppasswd
-rwsr-xr-x 1 root root 10032 May 5 18:15 /usr/bin/crontab
-rwsr-xr-x 1 root root 34988 Jul 1 12:58 /usr/bin/chage
-rwxr-sr-x 1 root tty 8012 May 13 19:15 /usr/bin/write
-rwxr-sr-x 1 root slocate 26432 Dec 4 2003 /usr/bin/slocate
-rwsr-xr-x 1 root root 201216 Jul 27 11:56 /usr/bin/xscreensaver
-rws--x--- 1 root cdrom 552820 Jul 20 19:06 /usr/bin/cdrdao
-rwsr-xr-x 1 root root 15532 Jul 1 12:58 /usr/bin/expiry
-rwsr-xr-x 1 root root 11768 Jan 6 2003 /usr/bin/netselect
-rwsr-xr-x 1 root root 19756 Jul 1 12:58 /usr/bin/newgrp
-rwsr-xr-x 1 root root 25004 Jul 1 12:58 /usr/bin/passwd
-rwsr-xr-x 1 root root 32952 Jul 1 12:58 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 10564 Jul 27 11:52 /usr/bin/suexec
-rwsr-xr-x 1 root root 68056 Oct 22 2002 /usr/bin/procmail
-rwsr-xr-x 1 root root 306444 Dec 6 2003 /usr/bin/screen-4.0.2
-rwsr-xr-x 1 root root 5772 Aug 3 14:48 /usr/bin/pt_chown
-rws--x--- 1 root cdrom 290364 May 30 2003 /usr/bin/cdrecord
-rws--x--x 1 root root 132396 Apr 19 12:41 /usr/lib/ssh/ssh-keysign
-r-sr-x--- 1 root root 24676 Jan 30 2004 /usr/lib/pppd/2.4.2/rp-pppoe.so
-rws--x--x 1 root bin 88156 May 30 2003 /usr/sbin/rscsi
-rwsr-xr-x 1 root root 564048 Jul 23 16:48 /usr/sbin/exim-4.41-1
-r-sr-xr-x 1 root bin 18328 Sep 4 2002 /usr/sbin/traceroute
-rws--x--x 1 root root 1943573 Jul 10 10:22 /usr/X11R6/bin/Xorg
-rws--x--x 1 root root 292896 Jul 10 10:22 /usr/X11R6/bin/xterm
-rwsr-xr-x 1 root root 21790 Jul 1 14:22 /usr/X11R6/bin/xcardinfo
-rwsr-xr-x 1 root root 9670 Jul 16 12:44 /usr/libexec/rssh_chroot_helper
-r-sr-xr-x 1 root root 14424 Mar 16 14:52 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 14148 Jul 1 14:22 /sbin/cardctl
First Question: How many of these should NOT be SUID or SGID "out of the box" (i.e., on installation of Arch Linux)?
Second Question: What are some good approaches to reducing the use of SUIDs and SGIDs?
My approaches are: (a) deleting executables/packages that I actually don't use (for example, I will remove executables/packages I don't ever use or plan to use such as /opt/kde/bin/kppp); (b) removing the SUID or SGID bit on some of the executables.
My concern is less with approach (a) than with (b). Which of these executables MUST be SUID or SGID to work properly?
Regards,
Win
Offline
Which of these executables MUST be SUID or SGID to work properly?
Probably almost all of them need to be SUID to work properly from a user account. Such programs have to access root files, usually.
However, if you never use a particular program as user, it need not be SUID (this is usage dependent).
Dusty
Offline
welcome to security hell
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GU/ d- s: a- C L U P+ L+++ E--- W+
N 0+ K- W-- !O !M V-- PS+ PE- V++ PGP T 5 Z+ R* TV+ B+
DI-- D- G-- e-- h! r++ z+ z*
------END GEEK CODE BLOCK------
Offline