Steve Scrimpshire Posted May 27, 2004 Report Share Posted May 27, 2004 I read on this site: http://www.mrbass.org/linux/ Search for SUID programs to save yourself from getting rooted with find / -perm -4000 Now, I'm not as security-saavy as I'd like to be. My question is: should there be no files that are SUID root? If I find any that are, will it harm the functionality of my MDK box to change this? The two that stick out to me on my system are /usr/bin/passwd and /usr/bin/sudo. Here's the whole output: [root@localhost omar]# find / -perm -4000 find: /proc/461/task: No such file or directory find: /proc/6771/task/6771/fd/4: No such file or directory /usr/bin/ping6 /usr/bin/chage /usr/bin/expiry /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/chfn /usr/bin/chsh /usr/bin/crontab /usr/bin/passwd /usr/bin/gpg /usr/bin/procmail /usr/bin/cdrecord /usr/bin/readcd /usr/bin/cdrdao /usr/bin/ml85p /usr/bin/klaptop_acpi_helper /usr/bin/smbmnt3 /usr/bin/smbumount3 /usr/bin/at /usr/bin/sudo /usr/bin/getscox /usr/bin/sperl5.8.4 /usr/bin/lppasswd /usr/lib/ssh/ssh-keysign /usr/sbin/traceroute6 /usr/sbin/usernetctl /usr/sbin/userhelper /usr/sbin/fileshareset /usr/sbin/traceroute /usr/X11R6/bin/Xwrapper /sbin/pam_timestamp_check /sbin/pwdb_chkpwd /sbin/unix_chkpwd /bin/ping /bin/su /bin/mount /bin/umount /bin/mount.cifs3 Quote Link to comment Share on other sites More sharing options...
ramfree17 Posted May 28, 2004 Report Share Posted May 28, 2004 my understanding is that you should limit the amount of files having setuid but not eliminate them as some programs can only run as root. the trouble is when new exploits have been found on these programs. another trouble is that some application developers just make them setuid because... just my thoughts... ciao! Quote Link to comment Share on other sites More sharing options...
linux_learner Posted May 28, 2004 Report Share Posted May 28, 2004 i once tried changing the chmod of some of the files steve (/etc/password). while my system worked. it was weird. changing the perms, while it may increase security, will affect the system and not nessisarily for the best. the files you listed are executables. certain executables should only be executed by root. thats easy enough. chmod 711. some executables need to be executed by others. so becarefull. dont forget you can chroot and chown directories and files. if your really worried about this, see the SELinux documentation. you can make files hidden from root. not readable from root. its special permissions and a special configuration. if you have a test box, change your permissions to what you'd like and test it. see how it works.if you like the results, then make it in your production box. otherwise (this is a good idea anyway) use partimage to create an image of your partitions or harddrive, so you can restore it later if you need to. Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 28, 2004 Report Share Posted May 28, 2004 One thing you can do is create a second root user like xroot and make this the owner of all the root stuff. Since any hackers dont know of the existance of xroot it makes life harder for them. However some utils naturally use root and its hardcoded although you can usually fix it. We did this on a mail server and it was just do-able but it wasnt running anything else. I think easier is a good firewall inbetween and deny root access from akk but localhost just my 2c tho Quote Link to comment Share on other sites More sharing options...
iphitus Posted May 28, 2004 Report Share Posted May 28, 2004 IMHO i think this is paranoia. If a person with malicious intent through some miracle makes it through your firewall, if they are capable of that, i dont think that whatever you do with these setuid programs is going to stop them. Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 28, 2004 Report Share Posted May 28, 2004 IMHO i think this is paranoia. If a person with malicious intent through some miracle makes it through your firewall, if they are capable of that, i dont think that whatever you do with these setuid programs is going to stop them. Yep Iphitus but some things like web servers mail servers etc. need to be outside the firewall. suid sticky bits are a classic way for people to gain access and passwd etc. is a good place for them to start, i.e. they can then deny YOU access. Especially if this is a remote PC it can be important.... Quote Link to comment Share on other sites More sharing options...
phunni Posted May 28, 2004 Report Share Posted May 28, 2004 but what server services need to be run as root? You would still firewall of all ports on the server except the necessary ones - i.e. 80 Apache can be run as a normal user can' t it - so then, you simply come down to whether there are vulnerabilities in apache. If we are simply talking about a desktop then simply firewalling is probably enough IMHO. Someone who can break through that (and it's not as hard as it might sound) will really know what they're doing - it's not just the average hacker looking out for an opportunity. If they know what they are doing then there is very limited reason for them to attack you - there is more money to be made elsewhere... Quote Link to comment Share on other sites More sharing options...
iphitus Posted May 28, 2004 Report Share Posted May 28, 2004 I dont see why web servers and the like need to be outside the firewall. Why cant the firewall simply have port 80 open or forwarded? Quote Link to comment Share on other sites More sharing options...
phunni Posted May 28, 2004 Report Share Posted May 28, 2004 you can and you should - my point exactly. A server must still be firewalled - it's just that it won't be as tight as a desktop system or intranet Quote Link to comment Share on other sites More sharing options...
Gowator Posted May 28, 2004 Report Share Posted May 28, 2004 but even the fireawall has a passwd etc. and who says they do it for money ?? Quote Link to comment Share on other sites More sharing options...
iphitus Posted May 29, 2004 Report Share Posted May 29, 2004 I still believe this is paranoia. If they get through the firewall they must be a very good hacker. End even if the programs are not setuid, if he is a good enough hacker to get through the firewall, he will get into the server whether or not they are setuid bit. Besides, why on earth would a good hacker waste his time hacking aslan.no-ip.com or liquidzoo.no-ip.com (pretening they have such a setup)? Besides they still have to get command line access to the machine, to run or manipulate any of these setuid bit programs, and if they get such access, they would probably find it easier to run a rootkit. If you are so paranoid or in a situation where you would be a target - hardly anyone here - run SELinux on your server. A good firewall will stop 99% of attacks. iphitus Quote Link to comment Share on other sites More sharing options...
tyme Posted May 29, 2004 Report Share Posted May 29, 2004 If they get through the firewall they must be a very good hacker. that's not necessarily true. A good firewall will stop 99% of attacks. I'm not so sure this is either. Security is dependant on a few things: What services/servers are you running, are they patched up, are you blocking unused ports, are you using strong passwords, and do you trust those you are giving accounts out to (if anyone). of course, there are (beyond that) a few other things such as permissions regarding the services/servers you are giving access too and any executable, server-side programs (including php/sql/java servlets). The latter are really dependant upon good programming, and not something you can necessarily control - unless you develop it yourself. Quote Link to comment Share on other sites More sharing options...
Steve Scrimpshire Posted May 29, 2004 Author Report Share Posted May 29, 2004 So, let me get this straight. I'm running sshd, but that port is firewalled (shorewall) from the internet and even then, root does not have permission to login via ssh. I am running apache and it is visible to the internet, but it is up-to-date (as is my whole system), as far as MDK pkgs. From grc.com, all my ports are stealth except port 80. So, I can assume I'm relatively safe? Quote Link to comment Share on other sites More sharing options...
iphitus Posted May 29, 2004 Report Share Posted May 29, 2004 Tyme: youre right, i made 2 big generalisations there. Steve: You're pretty safe, i wouldnt lose any sleep over it Quote Link to comment Share on other sites More sharing options...
tyme Posted May 29, 2004 Report Share Posted May 29, 2004 Steve: You're pretty safe, i wouldnt lose any sleep over it I concur. iphitus: it's aight, just tryin' to help ;) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.