Help required in disabling commands.

pinga123 · 06-15-2011, 12:52 AM

I want to disable following commands in my linux distribution (Thanks to Linux hardening guide)

Code:

# which rcp
/usr/kerberos/bin/rcp
# which rlogin
/usr/kerberos/bin/rlogin
# which rsh
/usr/kerberos/bin/rsh

When checked they were all part of krb5-workstation-1.6.1-25.el5 rpm.

Code:

# rpm -qf `which rcp`
krb5-workstation-1.6.1-25.el5
# rpm -qf `which rlogin`
krb5-workstation-1.6.1-25.el5
# rpm -qf `which rsh`
krb5-workstation-1.6.1-25.el5

As krb5-workstation-1.6.1-25.el5 has more than 100's of command associated with it,It wouldn't be a possible to remove the package itself.

Code:

# rpm -qlp krb5-workstation-1.6.1-31.el5_3.3.i386.rpm
warning: krb5-workstation-1.6.1-31.el5_3.3.i386.rpm: Header V3 DSA signature: NO
KEY, key ID 1e5e0159
/etc/pam.d/ekshell
/etc/pam.d/gssftp
/etc/pam.d/kshell
/etc/profile.d/krb5-workstation.csh
/etc/profile.d/krb5-workstation.sh
/etc/rc.d/init.d/krb524
/etc/sysconfig/krb524
/etc/xinetd.d/eklogin
/etc/xinetd.d/ekrb5-telnet
/etc/xinetd.d/gssftp
/etc/xinetd.d/klogin
/etc/xinetd.d/krb5-telnet
/etc/xinetd.d/kshell
/usr/kerberos
/usr/kerberos/bin
/usr/kerberos/bin/ftp
/usr/kerberos/bin/gss-client
/usr/kerberos/bin/kdestroy
/usr/kerberos/bin/kinit
/usr/kerberos/bin/klist
/usr/kerberos/bin/kpasswd
/usr/kerberos/bin/krb524init
/usr/kerberos/bin/krlogin
/usr/kerberos/bin/krsh
/usr/kerberos/bin/ksu
/usr/kerberos/bin/kvno
/usr/kerberos/bin/rcp
/usr/kerberos/bin/rlogin
/usr/kerberos/bin/rsh
/usr/kerberos/bin/sim_client
/usr/kerberos/bin/telnet
/usr/kerberos/bin/uuclient
/usr/kerberos/bin/v4rcp
/usr/kerberos/man
/usr/kerberos/man/man1
/usr/kerberos/man/man1/ftp.1.gz
/usr/kerberos/man/man1/kdestroy.1.gz
/usr/kerberos/man/man1/kinit.1.gz
/usr/kerberos/man/man1/klist.1.gz
/usr/kerberos/man/man1/kpasswd.1.gz
/usr/kerberos/man/man1/krb5-send-pr.1.gz
/usr/kerberos/man/man1/krb524init.1.gz
/usr/kerberos/man/man1/ksu.1.gz
/usr/kerberos/man/man1/kvno.1.gz
/usr/kerberos/man/man1/rcp.1.gz
/usr/kerberos/man/man1/rlogin.1.gz
/usr/kerberos/man/man1/rsh.1.gz
/usr/kerberos/man/man1/telnet.1.gz
/usr/kerberos/man/man1/v4rcp.1.gz
/usr/kerberos/man/man8
/usr/kerberos/man/man8/ftpd.8.gz
/usr/kerberos/man/man8/k5srvutil.8.gz
/usr/kerberos/man/man8/kadmin.8.gz
/usr/kerberos/man/man8/klogind.8.gz
/usr/kerberos/man/man8/krb524d.8.gz
/usr/kerberos/man/man8/kshd.8.gz
/usr/kerberos/man/man8/ktutil.8.gz
/usr/kerberos/man/man8/login.krb5.8.gz
/usr/kerberos/man/man8/telnetd.8.gz
/usr/kerberos/sbin
/usr/kerberos/sbin/ftpd
/usr/kerberos/sbin/gss-server
/usr/kerberos/sbin/k5srvutil
/usr/kerberos/sbin/kadmin
/usr/kerberos/sbin/klogind
/usr/kerberos/sbin/krb5-send-pr
/usr/kerberos/sbin/krb524d
/usr/kerberos/sbin/kshd
/usr/kerberos/sbin/ktutil
/usr/kerberos/sbin/login.krb5
/usr/kerberos/sbin/sim_server
/usr/kerberos/sbin/telnetd
/usr/kerberos/sbin/uuserver
/usr/share/doc/krb5-workstation-1.6.1
/usr/share/doc/krb5-workstation-1.6.1/convert-config-files
/usr/share/doc/krb5-workstation-1.6.1/kdestroy.html
/usr/share/doc/krb5-workstation-1.6.1/kinit.html
/usr/share/doc/krb5-workstation-1.6.1/klist.html
/usr/share/doc/krb5-workstation-1.6.1/kpasswd.html
/usr/share/doc/krb5-workstation-1.6.1/ksu.html
/usr/share/doc/krb5-workstation-1.6.1/services.append
/usr/share/doc/krb5-workstation-1.6.1/user-guide.ps.gz
/usr/share/info/krb5-user.info.gz

What else can be done to disable these command?

chrism01 · 06-15-2011, 01:07 AM

That's odd, not to mention annoying ... Anyway,

1. you can set the the ownerships are root:root and remove ALL perms.

2. Another option is to just manually delete just those binaries; should work I believe.

3. rename them (you should try this before trying option 2; just in case you have to put them back ...)

pinga123 · 06-15-2011, 01:30 AM

Quote:

Originally Posted by chrism01

That's odd, not to mention annoying ... Anyway,

1. you can set the the ownerships are root:root and remove ALL perms.

2. Another option is to just manually delete just those binaries; should work I believe.

3. rename them (you should try this before trying option 2; just in case you have to put them back ...)

One more twist that i found.
As it shows rcp ,rlogin ,rsh are also part of below rpm.

Confused what to do?

I would be glad to know why two rpms listing the commands.
The only difference is the first one listed the commands under /usr/kerberos and later in /user/bin

Code:

# rpm -ql rsh-0.17-38.el5
/usr/bin/rcp
/usr/bin/rexec
/usr/bin/rlogin
/usr/bin/rsh
/usr/share/man/man1/rcp.1.gz
/usr/share/man/man1/rexec.1.gz
/usr/share/man/man1/rlogin.1.gz
/usr/share/man/man1/rsh.1.gz

Is removing an rpm not an option?

honeybadger · 06-15-2011, 04:18 AM

Removing rpm or yum would be a disaster. The next thing (unless you really know what you are doing) would be a reinstall.
Try to rename the binaries else if you have a gui to enable/disable services you can get it done from there. Else put a custom script in rc.local that would say 'service rcp stop'. Havent used RH or its derivatives - man they are tough to handle.
Hope this helps.

pinga123 · 06-15-2011, 04:27 AM

Quote:

Originally Posted by SilverBack

Removing rpm or yum would be a disaster. The next thing (unless you really know what you are doing) would be a reinstall.
Try to rename the binaries else if you have a gui to enable/disable services you can get it done from there. Else put a custom script in rc.local that would say 'service rcp stop'. Havent used RH or its derivatives - man they are tough to handle.
Hope this helps.

Let me clear here.They are not any services they are commands.

chrism01 · 06-15-2011, 07:54 PM

The point is, you've got 2 rpms that contain (2 separate copies of) those program files (& in the case of kerberos, more stuff as well).

0. Take a good backup! (preferably 2)
1. do you really need the kerberos installation? if not you should be able to yum remove it
2. the other one is the std rsh etc rpm and you should be able to yum remove it (I believe)

Stick to yum cmds in order to handle dependencies if any. If this is a prod system, try any changes on a backup system first.
https://access.redhat.com/kb/docs/DOC-2531

pinga123 · 06-16-2011, 12:13 AM

Quote:

Originally Posted by chrism01

The point is, you've got 2 rpms that contain (2 separate copies of) those program files (& in the case of kerberos, more stuff as well).

0. Take a good backup! (preferably 2)
1. do you really need the kerberos installation? if not you should be able to yum remove it
2. the other one is the std rsh etc rpm and you should be able to yum remove it (I believe)

Stick to yum cmds in order to handle dependencies if any. If this is a prod system, try any changes on a backup system first.
https://access.redhat.com/kb/docs/DOC-2531

What is this kerberos thing(noob here).Is removing kerberos make any impact.
As you can see its points to rsh in kerberos and not the /usr/bin/rsh installed in previous package.
If i remove kerberos will it point /usr/bin/rsh or i need to manually link it.
What command to issue for removing kerberos using yum.

Code:

# yum remove kerberos
Loading "security" plugin
Setting up Remove Process
No Match for argument: kerberos
No Packages marked for removal

Code:

# which rsh
/usr/kerberos/bin/rsh

Not sure over this.

Code:

yum remove krb*
Transaction Summary
=============================================================================
Install      0 Package(s)
Update       0 Package(s)
Remove     597 Package(s)

Is this ok [y/N]: n

chrism01 · 06-16-2011, 05:37 AM

Consider

Code:

 rpm -qa|grep krb

krb5-libs-1.6.1-55.el5_6.1
pam_krb5-2.2.14-18.el5
krb5-workstation-1.6.1-55.el5_6.1
krb5-auth-dialog-0.7-1

All the kerberos stuff contains the 'krb' (actually krb5) string.
See the cmds in that link I gave.
Only you know if you're using kerberos or not, or ask if this is a work system.
As I said, if you're worried, just disable them as per my suggestions above; even just moving them to another dir not in anyone's $PATH would do, so long as they can't see it.
Try that for a while and see if it matters.
If not, you would prob 'yum remove krb5-workstation' to get rid.

Code:

 ll /usr/bin/rcp

-rwsr-xr-x 1 root root 18608 Sep 22  2009 /usr/bin/rcp
[chris@boole ~]$ yum provides /usr/bin/rcp
Loaded plugins: fastestmirror
rsh-0.17-40.el5.i386 : Clients for remote access commands (rsh, rlogin, rcp).

so you'd yum remove rsh to get rid of those (non-krb) versions

Code:

yum provides /usr/kerberos/bin/rcp
Loaded plugins: fastestmirror
krb5-workstation-1.6.1-55.el5.i386 : Kerberos 5 programs for use on
....

Basically, use 'yum provides /dir/path/to/cmd' to check which pkg provides a given exe (or any file actually). Note the use of the absolute filepath for best results.

HTH

ssrameez · 06-16-2011, 06:22 AM

sorry I have not understood your problem correctly.

1) Why dont' you remove the commands alone or rename it from its locations(rm or mv accordinlgy).
2) Once that is done you can create a boot image from that to install to multiple other systems if you want.

--Rameez