LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page removing setuid option for security.
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-18-2010, 12:55 AM   #1
pinga123
Member
 
Registered: Sep 2009
Posts: 684
Blog Entries: 2

Rep: Reputation: 37
removing setuid option for security.

According to Security standards given in
https://www.stanford.edu/dept/as/ia/security/policies_standards/AS_standards/RH_linux_prod_sec_std_1.0.1.html


Quote:
Unless otherwise approved the following setuid root binaries are the only ones allowed on production servers:

* /bin/su
* /usr/bin/sudo
* /usr/bin/passwd
Being a production system i want to implement the same on our server.
but when i tried finding other files i got following output.

Code:
# ls -ltr `find / -user root -perm -4000 -print`
find: /proc/10558/task/10558/fd/4: No such file or directory
find: /proc/10558/fd/4: No such file or directory
-rwsr-xr-x 1 root root  43976 Jun  5  2007 /usr/bin/at
-rwsr-xr-x 1 root root   6240 Jun  6  2007 /usr/sbin/ccreds_validate
-rwsr-xr-x 1 root root  22984 Jun  6  2007 /usr/bin/passwd
-rwsr-xr-x 1 root root  40976 Jul 31  2008 /opt/oracle/usr/libexec/libvirt_proxy
-rwsr-x--- 1 root dbus  45148 Oct 31  2008 /lib/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root  31244 Oct 31  2008 /bin/ping6
-rwsr-xr-x 1 root root  35864 Oct 31  2008 /bin/ping
-rwsr-xr-x 1 root root  19184 Nov  1  2008 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root  12248 Nov  1  2008 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root root  24588 Nov  1  2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root  51512 Nov  1  2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root  46972 Nov  1  2008 /usr/bin/chage
-rws--x--x 1 root root  32780 Nov  1  2008 /usr/sbin/userhelper
-rwsr-sr-x 1 root root 315416 Nov  1  2008 /usr/bin/crontab
-rwsr-xr-x 1 root root 176572 Nov  6  2008 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/mount.nfs4
-rwsr-xr-x 1 root root  70772 Jan 21  2009 /sbin/mount.nfs
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/umount.nfs4
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/umount.nfs
---s--x--x 2 root root 140712 Jan 22  2009 /usr/bin/sudoedit
---s--x--x 2 root root 140712 Jan 22  2009 /usr/bin/sudo
-rwsr-xr-x 1 root root  38936 Jan 22  2009 /bin/umount
-rwsr-xr-x 1 root root  58324 Jan 22  2009 /bin/mount
-rws--x--x 1 root root  19096 Jan 22  2009 /usr/bin/chsh
-rws--x--x 1 root root  17900 Jan 22  2009 /usr/bin/chfn
-rwsr-xr-x 1 root root  23960 Jan 22  2009 /bin/su
-rwsr-xr-x 1 root root 147631 Apr  8  2009 /usr/kerberos/bin/ksu
-rwsr-xr-x 1 root root   6820 Jun 28  2009 /usr/sbin/usernetctl
-rwsr-xr-x 1 root root  64908 Jul 15  2009 /usr/libexec/libvirt_proxy
Now i m confused over how to remove setuid options on these files? and more important will it impact on rest of the sytem?
Last edited by pinga123; 11-18-2010 at 12:57 AM.
 
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 11-18-2010, 05:34 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Quote:
Originally Posted by pinga123 View Post
Being a production system i want to implement the same on our server.
The document is from 2006 and was updated last in 2007. It is marked "Internal Distribution Only" which might signify Stanford-specific policies and support for systems and users of the guide. Also note the document offers compliance with several standards like DISA STIG. Determine if that kind of standards compliance is what you are actually after. Next to your distributions documentation on system hardening a high level document you might want to read is Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines and for practically making changes the CIS Red Hat Enterprise Linux 5 Benchmark (CIS). Also see the LQ FAQ: Security references (or the cleaned print version at http://rkhunter.wiki.sourceforge.net/SECREF?f=print) wrt systems hardening resources, GNU/Tiger, OWASP, OpenVAS and OAT.


Quote:
Originally Posted by pinga123 View Post
and more important will it impact on rest of the sytem?
Do realize that next to your distributions documentation on system hardening there are complete websites dedicated to Linux security (like SANS) and Security standards (like NIST) and tools and methods exist to help determine necessity:
- running 'rpm -qf /path/to/binary' will show you which package the binary belongs to,
- running 'rpm -qi' on the package name will tell you in short what the package is for,
- running 'rpm -q --whatrequires package name' may indicate what other packages require your package,
- grepping your /var/log/{messages,secure} for PAM stack messages related to authorization for use of setuid binaries may indicate use, and
- grepping your /var/log/audit/audit.log may indicate use.

- Ask yourself for each file "which user except root requires to perform task X" (say change shell, mount file system?).
- Determine for each file if there exist controls to restrict usage (for instance: PAM, /etc/{at,cron}.allow).
- Determine for each file or package if the CVE lists unacceptable risks or security track record.
- Ask yourself for each package that requires your package if it is required for basic system operation (a server in most cases runs headless, in runlevel 3 and does not require X11 or Xorg).
- Ask yourself for each package if it is required for basic system operation (say ping6 if you don't run IPv6).

Running the above you will find a large portion of the files you listed are part of vital system packages like initscripts, shadow-utils, pam, util-linux, sudo and coreutils but some are not clear. Example: /lib/dbus-1/dbus-daemon-launch-helper.
Who owns and what is this file?:
Code:
stat -c "%a %U %G %F" /lib/dbus-1/dbus-daemon-launch-helper
4750 root dbus regular file
So it's a regular file (binary here) setuid-root and group dbus.

What is this group dbus?
Code:
getent group dbus
dbus:x:81:
Group has a GID below 500 (/etc/login.defs) meaning it's an account used by only the system itself.

Which package does the file belong to:
Code:
rpm -qf /lib/dbus-1/dbus-daemon-launch-helper
dbus
What group is this package in:
Code:
rpm -q dbus --qf="%{NAME}, %{GROUP}\n"
dbus, System Environment/Libraries
It reads "System Environment/Libraries" so removing this may reduce or damage operating capability.

Which package requires that package:
Code:
rpm -q --whatrequires dbus --qf="%{name}\n"
setroubleshoot-plugins setroubleshoot dbus-libs hal avahi
Which packages requires the package that requires this package:
Code:
rpm -q --whatrequires dbus --qf="%{name}\n"|while read PKG; do echo "${PKG}: $(rpm -q --whatrequires ${PKG} --qf="%{name}\n"| xargs)"; done
setroubleshoot-plugins: setroubleshoot-server setroubleshoot
setroubleshoot: no package requires setroubleshoot
dbus-libs: dbus
hal: kudzu
avahi: avahi-qt3 avahi-glib avahi-compat-libdns_sd
Answering the questions:
- Which user except root requires to perform task X? None, it's a system user.
- Do controls exist to restrict usage? Yes, 'getent passwd dbus' returns shell as /sbin/nologin (inert account).
- Does the CVE lists unacceptable risks or security track record? Latest was 585394, acknowledged as CVE-2010-1172 and fixed by RHSA-2010:0616 (Also see OVAL, ovaldi).
- Requires required for basic system operation? HAL and D-BUS are both subsystems and should not be removed. setroubleshoot can be replaced by root regularly running 'ausearch' and 'audit2allow < /var/log/audit/audit.log' from the command line or a cronjob. Avahi is only necessary if your setup requires that kind of network service discovery.

HTH and good luck.
 
2 members found this post helpful.
Old 11-18-2010, 06:34 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Additionally:
- logging executable access may be used to determine usage. Given a well-configured /etc/audit/audit.rules file rules can be added from the output of running:
Code:
find / -user root -perm -4000 -printf "-a always,exit -F path=%p -F perm=x -F auid!=0 -F auid!=4294967295 -k BIN_suid\n"
- logging sessions may be used to determine usage. Given a well-configured /etc/sudoers, installed 'rootsh' package, user alias '/usr/bin/sudo /usr/bin/rootsh --no-syslog -u root -i', a command alias like
Code:
Cmnd_Alias ROOTSH = /usr/bin/rootsh --no-syslog -u root -i
will log complete user-to-root sessions to /var/log/rootsh (default location).

- requiring Sudo to access binaries will result in logging in /var/log/secure:
Code:
( echo "Cmnd_Alias SUID = "; find / -user root -perm -4000 -printf "%p, \n" )|xargs|sed -e "s|,$||"
however the list should be 0) pruned for commands only system users use and 1) for command arguments that result in loss of service (like allowing the root password or default shell to change).
Last edited by unSpawn; 11-18-2010 at 06:36 AM.
 
2 members found this post helpful.
Old 11-18-2010, 11:38 AM   #4
Tinkster
Moderator
 
Registered: Apr 2002
Location: earth
Distribution: slackware by choice, others too :} ... android.
Posts: 23,067
Blog Entries: 11

Rep: Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928Reputation: 928
Moved: This thread is more suitable in <LQ-Sec> and has been moved accordingly to help your thread/question get the exposure it deserves.
 
0 members found this post helpful.
Old 07-05-2013, 07:18 PM   #5
shadowbox12
Member
 
Registered: Mar 2010
Posts: 52

Rep: Reputation: 3
This really should be a sticky. It's the only useful post on the subject of suid file auditing I've been able to find, with one (very dated) exception here. http://bastille-linux.org/jay/suid-audit.html
 
Old 07-09-2013, 05:38 AM   #6
pinga123
Member
 
Registered: Sep 2009
Posts: 684

Original Poster
Blog Entries: 2

Rep: Reputation: 37
Quote:
Originally Posted by shadowbox12 View Post
This really should be a sticky. It's the only useful post on the subject of suid file auditing I've been able to find, with one (very dated) exception here. http://bastille-linux.org/jay/suid-audit.html
Thanks for the update... You reminded me of some old audit days
 
  


Reply

Tags
removing setuid, setuid, setuid root



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security after install - Removing GCC guyFromThere Linux - Security 6 01-11-2009 12:12 AM
Removing option from rules in makefile RichardS Programming 1 08-18-2007 08:07 AM
Removing security features of apache = vulnerability? MooCows Linux - Security 1 12-30-2004 08:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:36 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration