Hi

Been checking my box lately, it runs Redhat 9 and is on a daily up2date routine to keep most bugs out of the system, however, I feel there are too many processes running as root and I would like to prevent that.

History:

I did a full reinstall on it before cristmas after my old redhat 6.2 distro was rooted by some russian rootkit, at the time, I really didn't know, nor cared to do any serious forensic work to clean it up and to find out who did it. Mostly because it usually just provice a basic homepage and some simple pop3 acccess to my home lan.
- There were two new users in the /etc/passwd file and some files were compromised, but I didn't know much about what else this rootkit changed, so I decided to scrap the whole system after backing up my small web database from mysql.

Anyway, the installation of the new redhat distro, postfix, amavis with spamassassin and clam, the web, mysql etc proved to be a lot of work indeed, so this time around, I've decided to keep a higher level of security and patching.

So, nowdays it's running with iptables on.
I have allow all only from work and 2-3 lan adresses when it somes to ssh, I have tripwire installed, and im running chkrootkit regulary.

But; I've noticed that I do have a lot of processes running as root, and I don't like it at all, I havent been rooted (yet? 8] ) though.
But how do I go about changing the process owner from root to something else, especially when the processes (Im not mentioning any spesific ones here, I hope you understand that ) are started from scripts located in /etc/rc.d/initd/ dir, i mean some processes dosen't even have their own user in the system?

Unless someone at Rh made an error or you configured something improperly, I suspect that any running processes are running with the least privilege necessary for them to function properly. Without knowing which processes your talking about it's impossible to make a judgment on that issue or give you any meaningful advice. Processes normally run as root that need to write to directories where root privilege is required or that launch/control other processes requiring root privilege.

As the previous poster implied, it's difficult to comment on what's running without knowing what it is. Run a "ps -ef | grep "^root" and post that.

There is a large class of daemons that run as root because the involve the network, and the current setup is that the only userid that can bind a network port is root. (I personally think this is a poor solution, but changing it to something that works better is not trivial. I'm not qualified to write the code to do it the way I think it should be done, so I'm not going to bitch too much about it being the way it is.) (xinetd, sshd, the httpd that starts all the others, etc.)

Another group that must be root is anything that involves login. (getty, sshd, etc.)

You might very well be right that there's a lot more running as root than needs to be. Http (apache), for example can be configured to run everything as root, or it can be set up to run as much as possible as some other user (typically "apache").

A lot of programs are like that, and there is frequently an alternative program available when one does not. For example, postfix is an alternative to sendmail, and one of the criteria it was designed for was security. Sendmail must run as root, postfix runs as several processes and as few of them as it can manage are run as root. If you explore what other programs do the same function as the one you're unhappy with, you can frequently find substitutes that are better-done from a security standpoint. (As an aside, I recommend Postfix. It was also written with ease of adminstration in mind. It's a LOT easier to work with than Sendmail.)

Red Hat's not the best distribution in the world for that, though. You can easily install something on Red Hat only if an RPM (a RedHat-specific RPM, at that) has been built for it. If you're even moderately familiar with compiling things from source, it's not hard to build something and install it, but the problem is, none of the rest of RH knows it's there. It will complain about things being missing which are in fact already there, and it will blithely overwrite things that you created, if another package wants to use that same file. (It might downgrade a library version, for instance.)

Of the RPM-based distributions, I'd recommend Mandrake as having the widest number of "outside" RPMs built. I've never used Mandrake for anything serious, though, so I can't comment how good they are overall, especially with regards to security.

Debian has an absolutely HUGE number of packages. Your odds of finding a pre-built package for program XYZ is probably better on Debian than anywhere. The way files are laid out, programs installed, etc, etc, is very different from Red Hat, however. You're looking at a medium-long, medium-steep learning curve to be able to use it.

I use Gentoo on two out of three of my systems. It has a very large number of packages (10,000 or so vs 13,000 for Debian), is very active, and has some really nice search features. On Gentoo, for example, I can say "emerge search syslog", and get a list of a bunch of packages. There's an option you can pass it to search the descriptions as well as the title of the package. Debian has a search function, but it doesn't work very well (you tend to get flooded with names.)

Gentoo has one aspect that is a serious downside from many people's perspective - everything is compiled from source. If you don't have BOTH a fast machine and a fast Internet connection, don't even consider it. Like Debian, the layout of things is noticeably different from Red Hat. (It's also noticeably different from Debian, in case my phrasing made that unclear.)

So, my advice would be:[list=1][*]Post your "ps -ef" here. It would be helpful for you to add comments to it that indicate when you understand why it's root and when you don't. That way, we won't have to comment on every single line.[*]Read the documentation for any applications/programs you find questionable. Sometimes, it's just a matter of configuring it properly to get it to use a non-root user.[*]For packages that COULD be run non-root, but don't have the capability, search for alternatives. If you discover there are lots of alternatives, but few of the ones you want for Red Hat, you'll have to decide which is more important to you - a flavor of Linux you're familiar with, or (potentially) greater security.[*](If you're really hard core about this) Re-write some of the packages to use non-root access. Be warned, like with most things, if it was easy, it probably would have already been done.[/list=1]

Good luck

Wow, tnx for those enlightening answers =)

Been using redhat since 1996-1997, learning linux on a general basis is pretty good on it, allthough we used debian in college, which offcourse is harder to learn, but also better because one learn things ground up, sort of.

Im currently running postfix for my mailservice, as you correctly pointed out, it's pretty sweet and simple to use and configure in comparison to sendmail.

Anyway, I guess it's safe to post here, no ip adresses or anything so, here goes:

[root@DaHost somedir]# ps -ef | grep "^root"
*lots of processes/demons here which i dont know what does and why they are here, i assume they have something to do with the kernel or subsystem daemons or something.
root 1 0 0 Mar12 ? 00:00:04 init [3]
root 2 1 0 Mar12 ? 00:00:00 [keventd]
root 3 1 0 Mar12 ? 00:00:00 [kapmd]
root 4 1 0 Mar12 ? 00:00:00 [ksoftirqd_CPU0]
root 9 1 0 Mar12 ? 00:00:00 [bdflush]
root 5 1 0 Mar12 ? 00:00:14 [kswapd]
root 6 1 0 Mar12 ? 00:00:00 [kscand/DMA]
root 7 1 0 Mar12 ? 00:02:22 [kscand/Normal]
root 8 1 0 Mar12 ? 00:00:00 [kscand/HighMem]
root 10 1 0 Mar12 ? 00:00:01 [kupdated]
root 11 1 0 Mar12 ? 00:00:00 [mdrecoveryd]

* Mailgraph (graphical presentation of mailtraffic, spam, viruses etc) needs to read the maillog so i guess it has to be root...?

root 751 1 0 Mar12 ? 00:00:32 /usr/bin/perl -w /usr/local/bin/mailgraph.pl -l /var/log/maillog -d --daemon_pid=/var/run/mailgraph.pid --daemon_rrd=/var/lib/ --ignore-localhost

*These probably have to be root....
root 965 1 0 Mar12 ? 00:00:04 syslogd -m 0
root 969 1 0 Mar12 ? 00:00:00 klogd -x

*does ssh need to be root, I think you mentioned that...hmm..also xinetd
root 1061 1 0 Mar12 ? 00:00:24 /usr/sbin/sshd
root 1075 1 0 Mar12 ? 00:00:00 xinetd -stayalive -pidfile /var/run/xinetd.pid

*I think master is the masterprocess for amavis which in turn control spamassasin and clam checking from postfix (postfix is running as non-root), but I am not 100% sure
root 1177 1 0 Mar12 ? 00:00:02 [master]

*Spamassassin, dunno why it has to be root...
root 1190 1 0 Mar12 ? 00:00:19 /usr/bin/spamd -d -c -a -m5 -H
*for some reason, a demon for mouse is running on runlevel 3...cron is ok i guess, systemcronjobs
root 1199 1 0 Mar12 ttyS1 00:00:00 gpm -t ms -m /dev/mouse
root 1233 1 0 Mar12 ? 00:00:00 crond

*I thought mysqlsafe was supposed to be non-root, right?
root 1246 1 0 Mar12 ? 00:00:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --datadir=/var/lib/mysql --pid-file=/usr/local/mysql/data/Hostname.pid

*Samba as root....*chill*, is that normal
root 1314 1 0 Mar12 ? 00:00:00 smbd -D
root 1319 1 0 Mar12 ? 00:00:06 nmbd -D
root 1320 1319 0 Mar12 ? 00:00:00 nmbd -D

*redhat network
root 1357 1 0 Mar12 ? 00:00:00 rhnsd --interval 240

*what is mingetty, really? The terminal daemon?
root 1364 1 0 Mar12 tty1 00:00:00 /sbin/mingetty tty1
root 1365 1 0 Mar12 tty2 00:00:00 /sbin/mingetty tty2
root 1366 1 0 Mar12 tty3 00:00:00 /sbin/mingetty tty3
root 1367 1 0 Mar12 tty4 00:00:00 /sbin/mingetty tty4
root 1368 1 0 Mar12 tty5 00:00:00 /sbin/mingetty tty5
root 1369 1 0 Mar12 tty6 00:00:00 /sbin/mingetty tty6

*httpd is running as root, but the apache is running as "apache", so why is httpd running as root?
root 18120 1 0 15:46 ? 00:00:21 /usr/sbin/httpd

*sshd again.....dunno why this is the case, i havent done anything other then rhn updates on it, is it a child process because i su'ed to root?
root 18577 1061 1 23:54 ? 00:00:00 /usr/sbin/sshd

*current root shell and excecuted command, ok.
root 18601 18580 1 23:54 pts/0 00:00:00 [su]
root 18602 18601 5 23:54 pts/0 00:00:00 bash
root 18626 18602 0 23:54 pts/0 00:00:00 ps -ef
root 18627 18602 0 23:54 pts/0 00:00:00 grep ^root


And that's all of them.

For httpd and mysqld i have 1 process for each of them running as root while the children are running as apache and mysql, which is what i wanted them to run as in the first place. Is this a requirement for the parent process so it can spawn children at all?

Tnx again for great replies.

Sorry for the delay in replying. I got busy with other things and forget this thread was still unfinished.

Yes, these are all kernel processes. Saying they're owned by root is a slight misnomer, because they're actually inside the kernel, and the kernel can (and does, on a regular basis) some things that even root is not allowed to do.

Possible, but it would be worth trying to see if it can run as "postfix".
Yes, but I'm not happy about it. That's one of the ones where an alternative package might be better.

Yes, sshd and xinetd both need to be root, for two reasons. You have to be root to bind to a network port (which both of these do), and you need to be root to allow someone to log in (whether as ssh, ftp, telnet, or whatever).

Actually, if you trace the parent process ids (the 3rd field on a ps -ef) back, I think you'll find that's Postfix. That one process does need to be root, but it does as little as possible, and spawns other processes as "postfix" to do everything else.

It's probably running as root for the same reason as mailgraph. In a sendmail-based system, it does need to be root. Try running it as postfix. May work, may not, but it's worth the experiment.

Gpm gives you mouse functionality on a text screen. Let's you cut and paste things even with no X. If you don't use it, you can turn it off. (Use the program "ntsysv" to turn on and off whether programs start at boot.)

Crond definitely needs to run as root.

Anything that uses a network port (and MySQL does) has to have some process that runs as root. Check parents and children -- it might be like Postfix, where the one process that HAS to run as root does, and everything else runs as something safer.

Yes, it's normal (at least, it runs that way on my box, too). Both to bind network ports and because it has to deal with a wide variety of filesystems, I would expect samba to need at least some stuff as root. You might check the config to see whether running any piece of it as non-root is possible. (I don't ever remember seeing it split up, though.)

Why the "*chill*"? Because its primary job is talking to Windows boxes? That's superstitious. On older versions of Windows (95, 98), all users were always root. They're as dangerous to you on any other port as they are on port 137.

My other question is why run it at all? The only reason to have smbd running is to allow Windows boxes to mount some portion of your filesystem as a remote share. (If you are just mounting one of their partitions on your Linux box, you don't need to run Samba.)

If you don't trust these Windows boxes, why are they on your network to begin with?

*redhat network
root 1357 1 0 Mar12 ? 00:00:00 rhnsd --interval 240

Yes, those are the virtual terminals that you get to by hitting ALT-F1, ALT-F2, etc (or CTRL-ALT-F1, CTRL-ALT-F2 if you're in X). By expanding or shrinking that list, you can increase or decrease the number of virtual terminals you have. (That's me showing off what I know. I'm not recommending you change how many there are.)

Same thing as postfix. One process, usually the one that deals with binding network ports, has to be root. It spawns all the others (which do 90% of the work) as "apache".

Now that is odd. I can't think of any reason why you would have two sshd's running. Trace the parentage. If it traces back to the other sshd, I wouldn't worry about it.


*current root shell and excecuted command, ok.
root 18601 18580 1 23:54 pts/0 00:00:00 [su]
root 18602 18601 5 23:54 pts/0 00:00:00 bash
root 18626 18602 0 23:54 pts/0 00:00:00 ps -ef
root 18627 18602 0 23:54 pts/0 00:00:00 grep ^root


And that's all of them.

Didn't see this until I'd already written my stuff. It's not so they can spawn children at all - any id can do that - it's so they can do a few things that only root can do, the two most common being logins and network ports.

Hope this helps,

CHL

Hi

Yep tnx for that input, really cleared things up for me

About the *chill* conserning samba;
The reason I run samba is that I share a printer from my Linux box (because it is up 24/7 anyway), and also I share a small file area to my windows boxes so that I can transfer/share some files between them all on the network, also, the sbm share provides direct access to my homedir on Linux by attaching it from windows.

But, giving everyone (like it is with public shares) read and write access to a file area controlled by a process running as root just seemes a bit dodgy, but I understand your argumentation now why it has to be root.
But I wouldn't be surprised if there one day would exist some kind of kit/script that makes it able to drop into some kind of rootshell by using the available share and regular telnet or something.

Tnx again, really helped \o/