[Techtalk] Sticky Bits

BUNTER MATTHEW Matthew.Bunter at renaultvi.com
Tue May 21 09:59:00 EST 2002


--- Reçu de       VITEUR.BUNTERMA 04 72 96 57 77             21/05/02 09.59

I think that what you found was files with the SetUID 'on'. This means that
running the program gives the same priveledges as the owner of the program.
For example running passwd gives root priveledges because you have to update
the /etc/shadow file - you are using shadow passwords aren't you?!?!

My understanding of sticky bits is as follows : /tmp has (should have) the
sticky bit set to stop people creating directories or links - I think.

In reponse to your query regarding which files should/should not be SUID. I
have asked this question on other mailing lists and got the following
replies :

------------------------------
Remove the suid bit (chmod u-s) the following is true:  (NN--not needed on
servers, NW--not needed on workstations, YR -- your call.  If no acronym
then it is required.

/usr/sbin/sendmail -- sending mail
/usr/X11R6/bin/Xwrapper (NN) - you are using X and normal users will be
using it as well.
/usr/bin/crontab (NN)(NW)-- normal users can create cron entries
/usr/bin/chage (YR)-- normal users can change their password aging feature.
/usr/bin/gpasswd (YR)-- group users can change passwords
/usr/bin/at (NN, NW) -- you are using this daemon to run scheduled tasks
/usr/bin/gpg (YR) --  normal users can use encryption
/usr/bin/suidperl(NN,NW) -- (I'm still not sure the purpose of this program)
/usr/bin/sperl5.6.0 (NN,NW)-- (same as above)
/usr/bin/passwd -- Required so normal users can change their password.
/usr/bin/ssh -- required so normal users can initiate ssh connections
/usr/bin/chfn (NN,NW)  -- users can change their finger information
/usr/bin/chsh (NN,NW) -- users can change their shell
/usr/bin/newgrp (NN,NW)-- users can change to a new group.
/usr/sbin/usernetctl (NN,NW)-- normal users change network interface
information and bring them up or down
/usr/sbin/traceroute (YR) -- normal users can perform traceroutes
/usr/sbin/userhelper (YR depends on the above)-- gives users info on how to
use features like chfn or chsh, etc.
/bin/ping (NN) -- normal users can ping
/bin/su (YR)-- normal users allowed to su in to root or other user accounts
(provided the password is known)
/bin/mount (NN)-- users can mount filesystems.
/bin/umount (NN)-- users can unmount filesystems.
/sbin/pwdb_chkpwd  -- used to determine if the password typed is a strong
password and not a dictionary word.
/sbin/unix_chkpwd

Regardless the ones that are okay are: passwd, unix_chkpwd,
pwdb_chkpwd, sendmail, ssh, traceroute.  This will depend on your setup
however.

------------------

> /usr/bin/suidperl(NN,NW) -- (I'm still not sure the purpose of this
> program)
> /usr/bin/sperl5.6.0 (NN,NW)-- (same as above)

suidperl is used on systems where you cant set the suid bit on *scripts*,
calling a script with this interpreter is the same as setting it u+s. Older
versions of perl ( < 5.6.1) had serious security problems with suidperl, so
its a good idea to remove the suid bit.

> /usr/bin/ssh -- required so normal users can initiate ssh connections

you only need the suid bit set on the ssh client if you are using .rhosts
authentication, because it needs to bind port < 1024 to make sure you really
are who you're telling you are (to the server), like the old rlogin/rsh
protocol.. its safe to remove the suid bit too..

>
> /bin/su (YR)-- normal users allowed to su in to root or other user
> accounts (provided the password is known)

also its a good idea to restrict its execute permission to only a few
trusted
people, changing its group and setting its permission to 4750.

-------------------

>From Securing and Optimizing Linux Red Hat Edition
(these files had SUID removed after doing their install - not alot was
installed though!!)

/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/sbin/usernetctl
/usr/sbin/traceroute
/bin/mount
/bin/umount
/bin/ping
/sbin/netreport

-------------------

Remember that changing SUID depends on what you want to do with your box. I
am building a firewall/gateway so want nothing running that can compromise
Date: Thu, 16 May 2002 12:56:10 -0400
Subject: [Techtalk] Sticky Bits

While issuing 'find / -type f -perm +6000' I found these following files with
sticky bits.

I wanted to know what is the implication and consequences of having these
files and which one of these files I should change.

/usr/bin/suidperl
/usr/bin/sperl5.6.0
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/lockfile
/usr/bin/slocate
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/bin/crontab
/usr/bin/kcheckpass
/usr/bin/kdesud
/usr/bin/ssh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/gnome-stones
/usr/bin/gataxx
/usr/bin/glines
/usr/bin/gnibbles
/usr/bin/gnobots2
/usr/bin/gnotravex
/usr/bin/gnomine
/usr/bin/mahjongg
/usr/bin/gnotski
/usr/bin/gtali
/usr/bin/iagno
/usr/bin/same-gnome
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/utempter
/usr/sbin/sendmail
/usr/sbin/usernetctl
/usr/sbin/gnome-pty-helper
/usr/sbin/userhelper
/usr/sbin/traceroute
/usr/sbin/lockdev
/usr/X11R6/bin/Xwrapper
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport
/usr/bin/suidperl
/usr/bin/sperl5.6.0
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/lockfile
/usr/bin/slocate
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/bin/crontab
/usr/bin/kcheckpass
/usr/bin/kdesud
/usr/bin/ssh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/gnome-stones
/usr/bin/gataxx
/usr/bin/glines
/usr/bin/gnibbles
/usr/bin/gnobots2
/usr/bin/gnotravex
/usr/bin/gnomine
/usr/bin/mahjongg
/usr/bin/gnotski
/usr/bin/gtali
/usr/bin/iagno
/usr/bin/same-gnome
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/utempter
/usr/sbin/sendmail
/usr/sbin/usernetctl
/usr/sbin/gnome-pty-helper
/usr/sbin/userhelper
/usr/sbin/traceroute
/usr/sbin/lockdev
/usr/X11R6/bin/Xwrapper
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport
/usr/bin/suidperl
/usr/bin/sperl5.6.0
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/lockfile
/usr/bin/slocate
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/bin/crontab
/usr/bin/kcheckpass
/usr/bin/kdesud
/usr/bin/ssh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/gnome-stones
/usr/bin/gataxx
/usr/bin/glines
/usr/bin/gnibbles
/usr/bin/gnobots2
/usr/bin/gnotravex
/usr/bin/gnomine
/usr/bin/mahjongg
/usr/bin/gnotski
/usr/bin/gtali
/usr/bin/iagno
/usr/bin/same-gnome
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/utempter
/usr/sbin/sendmail
/usr/sbin/usernetctl
/usr/sbin/gnome-pty-helper
/usr/sbin/userhelper
/usr/sbin/traceroute
/usr/sbin/lockdev
/usr/X11R6/bin/Xwrapper
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport
/usr/bin/suidperl
/usr/bin/sperl5.6.0
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/lockfile
/usr/bin/slocate
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/bin/crontab
/usr/bin/kcheckpass
/usr/bin/kdesud
/usr/bin/ssh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/gnome-stones
/usr/bin/gataxx
/usr/bin/glines
/usr/bin/gnibbles
/usr/bin/gnobots2
/usr/bin/gnotravex
/usr/bin/gnomine
/usr/bin/mahjongg
/usr/bin/gnotski
/usr/bin/gtali
/usr/bin/iagno
/usr/bin/same-gnome
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/utempter
/usr/sbin/sendmail
/usr/sbin/usernetctl
/usr/sbin/gnome-pty-helper
/usr/sbin/userhelper
/usr/sbin/traceroute
/usr/sbin/lockdev
/usr/X11R6/bin/Xwrapper
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport
/usr/bin/suidperl
/usr/bin/sperl5.6.0
/usr/bin/chage
/usr/bin/gpasswd
/usr/bin/at
/usr/bin/lockfile
/usr/bin/slocate
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/write
/usr/bin/crontab
/usr/bin/kcheckpass
/usr/bin/kdesud
/usr/bin/ssh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh
/usr/bin/sudo
/usr/bin/gnome-stones
/usr/bin/gataxx
/usr/bin/glines
/usr/bin/gnibbles
/usr/bin/gnobots2
/usr/bin/gnotravex
/usr/bin/gnomine
/usr/bin/mahjongg
/usr/bin/gnotski
/usr/bin/gtali
/usr/bin/iagno
/usr/bin/same-gnome
/usr/sbin/ping6
/usr/sbin/traceroute6
/usr/sbin/utempter
/usr/sbin/sendmail
/usr/sbin/usernetctl
/usr/sbin/gnome-pty-helper
/usr/sbin/userhelper
/usr/sbin/traceroute
/usr/sbin/lockdev
/usr/X11R6/bin/Xwrapper
/bin/ping
/bin/mount
/bin/umount
/bin/su
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd
/sbin/netreport

_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk
the host.

IMHO get rid of these files altogether :

/usr/bin/wall
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh


Hope this helps,

Matt

---- 21/05/02 09.59 ---- Envoyé à      ---------------------------------------
  -> techtalk(a)linuxchix.org



More information about the Techtalk mailing list