SUID lockdown?

nuia · 03-16-2010, 01:17 AM

I'm guessing I did this search right... but my question is, am I say to remove access to MOST of these SUID binaries? do they all need this power? what i want to do is minimize access just incase one of them gets an exploit(as ive already done for apache SuEXEC)

Code:

root@host1 [~]# find / -type f -a \( -perm -2000 -o -perm -4000 \) | xargs ls -ld
-rwsr-x--- 1 root    wheel      23960 Feb 28 17:33 /bin/su
-rwsr-x--- 1 root    dbus       45148 Jan  7 19:24 /lib/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x 1 root    root       12248 Mar 11 12:24 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root    root       19184 Mar 11 12:24 /sbin/unix_chkpwd
-rwsr-sr-x 1 root    root      315416 Jan  5 19:59 /usr/bin/crontab
-rwsr-xr-x 1 root    root       51512 Mar  3  2009 /usr/bin/gpasswd
-rwsr-xr-x 1 root    root       22984 Jan  6  2007 /usr/bin/passwd
-rwsr-xr-x 1 root    root       76728 Feb 26  2009 /usr/bin/quota
-rwxr-sr-x 1 root    nobody    106872 Mar 12 12:22 /usr/bin/ssh-agent
---s--x--x 2 root    root      140872 Feb 28 17:31 /usr/bin/sudo
---s--x--x 2 root    root      140872 Feb 28 17:31 /usr/bin/sudoedit
-r-xr-sr-x 1 root    tty        10484 Jan 21  2009 /usr/bin/wall
-rwsr-xr-x 1 root    root      169760 Jan 12 19:22 /usr/kerberos/bin/ksu
-rws--x--x 1 root    root      216260 Mar 12 12:22 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root    root       14056 Mar 11 15:40 /usr/local/apache.backup/bin/suexec
-rwsr-x--- 1 root    nobody     14056 Mar 11 15:48 /usr/local/apache/bin/suexec
-rwxr-sr-x 1 mailman mailman    16104 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admin
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/admindb
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/confirm
-rwxr-sr-x 1 mailman mailman    16112 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/edithtml
-rwxr-sr-x 1 mailman mailman    16112 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/listinfo
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/options
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/private
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/rmlist
-rwxr-sr-x 1 mailman mailman    16108 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/roster
-rwxr-sr-x 1 mailman mailman    16112 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/cgi-bin/subscribe
-rwxr-sr-x 1 mailman mailman    16935 Mar  9 20:12 /usr/local/cpanel/3rdparty/mailman/mail/mailman
-rwsr-xr-x 1 root    wheel      43060 Dec 16 19:56 /usr/local/cpanel/bin/cpwrap
-rwsr-xr-x 1 root    wheel      10540 Dec 16 19:55 /usr/local/cpanel/bin/jailshell
-rwsr-xr-x 1 root    root     1083824 Mar 16  2009 /usr/sbin/exim
-rwsr-xr-x 1 root    root      148508 Oct 28  2008 /usr/sbin/mtr
-rwxr-sr-x 1 root    mailtrap   11140 Mar 16  2009 /usr/sbin/sendmail

GlennsPref · 03-16-2010, 02:34 AM

Quote:

Hi, Welcome to LQ!

LQ has a fantastic search function that may save you time waiting for an answer to a popular question.

With over 3 million posts to search it's possible the answer has been given.

I use msec and msec-gui to help me keep track of file permissions with my Mandriva system.

It alerts me of any permission changes, and runs (daemon) many times a day.

It also tells me what the permission should be, if they have changed.

this makes it easier for me to administrate.

I get a notification on the deskop (email is available).

I simply open the log file and cut and paste the offending lines, and correct the permissions with chmod, chgrp or chown.

Hope this helps, regards Glenn