LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-15-2008, 06:05 AM   #1
jenhu
LQ Newbie
 
Registered: Jul 2008
Location: Finland
Distribution: Slackware
Posts: 11

Rep: Reputation: 0
Do all these files really need setuid/setgid?


With security on my mind I searched my box for files with permissions +6000, and got many results. Now I need help to determine which ones actually need setuid/setgid.
These are the files I got:

22808 32 -rwsr-xr-x 1 root root 31860 Jun 24 2007 /bin/umount
422791 36 -rws--x--x 1 root root 35868 Jun 19 2007 /bin/su
422804 64 -rwsr-xr-x 1 root root 60576 Jun 24 2007 /bin/mount
422823 32 -rws--x--x 1 root root 28992 May 9 2007 /bin/ping
422822 28 -rws--x--x 1 root root 26804 May 9 2007 /bin/ping6
994313 236 -r-sr-xr-- 1 uucp uucp 237320 Jun 6 2003 /usr/sbin/uucico
994312 108 -r-sr-xr-- 1 uucp uucp 104308 Jun 6 2003 /usr/sbin/uuxqt
994298 684 -r-xr-sr-x 1 root smmsp 692804 Jun 10 2007 /usr/sbin/sendmail
503977 56 -rwsr-xr-x 1 root root 52585 Jul 8 17:09 /usr/local/bin/fusermount
897332 8 -rwxr-sr-x 1 root utmp 4864 Feb 7 2007 /usr/lib/utempter/utempter
308906 148 -rws--x--x 1 root root 147260 Apr 3 2007 /usr/libexec/ssh-keysign
308895 12 -rwxr-sr-x 1 root utmp 10140 Jun 10 2007 /usr/libexec/gnome-pty-helper
894623 12 -rwsr-xr-x 1 root root 9728 Jun 19 2007 /usr/libexec/pt_chown
880787 20 -rwsr-x--- 1 root floppy 19076 May 1 2002 /usr/bin/fdmount
888208 8 -rwsr-xr-x 1 root root 5824 Jun 11 2007 /usr/bin/kgrantpty
1078606 132 -r-sr-xr-- 1 uucp uucp 131032 Jun 6 2003 /usr/bin/cu
1078595 16 -rws--x--x 1 root bin 16100 Mar 3 2003 /usr/bin/traceroute
1079418 208 -rwxr-s--x 1 root shadow 205856 Apr 21 2007 /usr/bin/xscreensaver
881484 32 -rwxr-sr-x 1 root slocate 31112 Apr 19 2006 /usr/bin/slocate
888190 8 -rwsr-xr-x 1 root root 5048 Jun 11 2007 /usr/bin/start_kdeinit
888195 12 -rwsr-xr-x 1 root root 11003 Oct 1 2006 /usr/bin/fileshareset
881434 36 -rws--x--x 1 root root 34256 Jun 19 2007 /usr/bin/chage
886992 12 -rwsr-xr-x 1 root root 10104 Jun 29 2007 /usr/bin/kcheckpass
881435 36 -rws--x--x 1 root root 36092 Jun 19 2007 /usr/bin/passwd
1078613 104 -r-sr-xr-- 1 uucp uucp 100592 Jun 6 2003 /usr/bin/uustat
881635 12 -r-xr-sr-x 1 root tty 8544 Jun 24 2007 /usr/bin/write
881438 20 -rws--x--x 1 root root 17372 Jun 19 2007 /usr/bin/expiry
1078520 16 -rwxr-sr-x 1 root mail 12588 Sep 19 2006 /usr/bin/lockfile
1078607 96 -r-sr-xr-- 1 uucp uucp 93720 Jun 6 2003 /usr/bin/uux
1078608 96 -r-sr-xr-- 1 uucp uucp 90336 Jun 6 2003 /usr/bin/uucp
888510 564 -rwsr-xr-x 1 root root 573196 May 23 2007 /usr/bin/kppp
881436 28 -rws--x--x 1 root root 28368 Jun 19 2007 /usr/bin/chsh
881437 32 -rws--x--x 1 root root 29916 Jun 19 2007 /usr/bin/chfn
1013107 8 -rws--x--x 1 root root 7944 Apr 30 2007 /usr/bin/rsh
1078583 84 -rwxr-s--- 1 root news 81884 Feb 3 2006 /usr/bin/slrnpull
881953 36 -rwsr-sr-x 1 daemon daemon 36484 Aug 3 2006 /usr/bin/at
1012839 12 -rws--x--x 1 root root 11484 May 9 2007 /usr/bin/traceroute6
1078611 40 -r-sr-xr-- 1 uucp uucp 37244 Jun 6 2003 /usr/bin/uuname
878998 12 -rwsr-xr-x 1 root root 8584 May 10 2007 /usr/bin/lppasswd
1013106 16 -rws--x--x 1 root root 14828 Apr 30 2007 /usr/bin/rcp
881433 24 -rws--x--x 1 root root 20960 Jun 19 2007 /usr/bin/newgrp
1079080 1672 -rwsr-xr-x 1 root root 1705500 May 10 2007 /usr/bin/Xorg
884649 96 -rws--x--x 1 root bin 90400 Feb 6 2006 /usr/bin/sudo
887008 44 -rwxr-sr-x 1 root nogroup 44824 Jun 29 2007 /usr/bin/kdesud
881432 36 -rws--x--x 1 root root 35516 Jun 19 2007 /usr/bin/gpasswd
880486 12 -rws--x--x 1 root root 10480 Dec 14 2006 /usr/bin/crontab
1078521 68 -rwsr-sr-x 1 root mail 65368 Sep 19 2006 /usr/bin/procmail
1079404 2392 -rwxr-s--x 1 root shadow 2442576 Feb 7 2007 /usr/bin/xlock
881627 12 -r-xr-sr-x 1 root tty 10056 Jun 24 2007 /usr/bin/wall
888216 8 -rwsr-xr-x 1 root root 6100 Jun 11 2007 /usr/bin/kpac_dhcp_helper
1013108 12 -rws--x--x 1 root root 10764 Apr 30 2007 /usr/bin/rlogin

I'm the only one using this computer, so I could probably su into root, on some of the files, when I need them. Is it better(=securer) to execute files as root than to have setuid or setgid permissions?
 
Old 07-15-2008, 07:21 AM   #2
pinniped
Senior Member
 
Registered: May 2008
Location: planet earth
Distribution: Debian
Posts: 1,732

Rep: Reputation: 50
Some of those need SUID ('su' for example - how can it work otherwise?) while many have SUID as a matter of convenience. For the 'convenient' group, some of those are genuinely useful at times, though not absolutely necessary, but most of them seem to have SUID just to be a nuisance - there is no reason for SUID and in fact it is an extremely bad idea. One obvious example: kppp - there is absolutely no valid reason to make it SUID.

What distro are you using?
 
Old 07-15-2008, 09:25 PM   #3
jamesapnic
Member
 
Registered: Jul 2008
Posts: 40

Rep: Reputation: 15
The only ones that really need them are

su,procmail,sudo,passwd commands,.

Thats presuming you are happy to run such as ping as root. Which will require that you su, but since this is still suid it shouldnt pose a problem.

Quote:
but most of them seem to have SUID just to be a nuisance
Don't really agree, such as ping and traceroute might be useful to normal users, if you run a multiuser system, these require root access for raw sockets.
 
Old 07-16-2008, 07:04 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,003
Blog Entries: 54

Rep: Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763Reputation: 2763
Quote:
Originally Posted by jenhu View Post
These are the files I got
The first thing I'd do actually has *nothing* to do with setuid or setgid (together: setXid): check that what packages you have installed are that the packages are the ones you use now (versus "small chance they might eventually come in handy once in a gazillion years"). For instance I see utilities related to IPv6, UUCP, NNTP and R.*services. If you don't use or need to provide those then removing them means less vulnerabilities to track, less packages to update, less applications to configure. In your case you can skip aprox ten from your initial list.


Quote:
Originally Posted by jenhu View Post
I'm the only one using this computer, so I could probably su into root, on some of the files, when I need them. Is it better(=securer) to execute files as root than to have setuid or setgid permissions?
The problem with setXid binaries is that they allow others to perform tasks which require root rights. Way old setXid exploit example: in Slackware, running a 2.4 kernel, there existed a ptrace vulnerability where 'su' could be abused to execute shellcode allowing for elevated rights for all that could execute 'su' (an added bonus there for Slackware not having compiled 'su' against PAM so the same binary couldn't be used as point of entry in other distributions).

To determine how to deal with an application you need to know if you are required to have it installed at all and who or what should be able to access it. (In essence this should not only take into account the discretionary access rights but all aspects of host hardening.) You can reduce risks by 0) removing unnecessary (uu.*, rs.*) packages (which is a good thing even where no setuid issues are concerned), 1) others can be used without setuid root bit (Pinnipeds kpp example, because this is a single user machine also see write, wall, ch.*, ), 2) you can remove the setuid or setgid root bit on others (in combination with a /etc/sudoers entry). In some of those cases you can 3) adjust access rights and take away the rights for "other", in other cases you 4) could only allow root and a local group access to it (fusermount for instance). 5) There will always remain a group that you should deal with carefully because they are not (supposed to be) accessed by human users, only by daemon processes (for example procmail, lockfile) or through other means (for example pt_chown). Since GNU/Linux is flexible there's nothing keeping you from experimenting: just record the access rights, change, use and restore if it doesn't work out. (Probably also should have added something about how behaviour possibly changes when executed setXid and not). Anyway, for more see the LQ FAQ: Security references (currently being revised by Aus9 and me) and the Slackware forum (lotsa hints and docs in them stickies).
 
Old 08-03-2008, 04:49 AM   #5
jenhu
LQ Newbie
 
Registered: Jul 2008
Location: Finland
Distribution: Slackware
Posts: 11

Original Poster
Rep: Reputation: 0
Thanks

Thanks for the replies! I guess I have a lot or manpages to go through now!
 
  


Reply

Tags
permissions, setuid


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unable to login in GUI+setuid+setgid problem bruse Debian 1 06-24-2006 06:57 AM
Bash script to email setuid root files deoren LinuxQuestions.org Member Success Stories 1 01-30-2005 09:56 AM
setuid + setgid files... jd32 Linux - Security 2 10-16-2004 11:10 AM
newgrp setgid on website files komox Linux - Security 1 09-04-2004 07:55 AM
Permissions (Setuid, Setgid, etc) Please help MelLinux Linux - General 1 10-18-2002 11:33 PM


All times are GMT -5. The time now is 12:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration