HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_58
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 58 32. Bits from root-owned programs A regular user will be able to run program as root if this program is set to SUID root. All programs and files in your computer with the ’s’ bits appearing on it mode, have the SUID (-rwsr-xr-x) or SGID (-r-xr-sr-x) bit enable. Because these programs grant special privileges to the user who is executing them, it is important to remove the 's' bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the command 'chmod a-s' with the name(s) of the SUID/SGID files as it's arguments. Such programs include, but aren't limited to: · Programs you never use. · Programs that you don't want any non-root users to run. · Programs you use occasionally, and don't mind having to su (1) to root to run. We've placed an asterisk (*) next to each program we personally might disable and consider to be not absolutely required for the duty work of our server. Remember that your system needs some suid root programs to work properly, so be careful. · To find all files with the ‘s’ bits from root-owned programs, use the command: [root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls –lg {} \; *-rwsr-xr-x   1 root     root 35168 Sep   22    23:35    /usr/bin/chage *-rwsr-xr-x   1 root     root 36756 Sep   22    23:35    /usr/bin/gpasswd *-r-xr-sr-x 1 root     tty 6788 Sep   6 18:17    /usr/bin/wall -rwsr-xr-x 1 root     root 33152 Aug   16    16:35    /usr/bin/at -rwxr-sr-x 1 root     man 34656 Sep   13    20:26    /usr/bin/man -r-s--x--x 1 root     root 22312 Sep   25    11:52    /usr/bin/passwd -rws--x--x 2 root     root 518140  Aug   30    23:12    /usr/bin/suidperl -rws--x--x 2 root     root 518140  Aug   30    23:12    /usr/bin/sperl5.00503 -rwxr-sr-x 1 root     slocate 24744 Sep   20    10:29    /usr/bin/slocate *-rws--x--x    1 root     root 14024 Sep   9 01:01    /usr/bin/chfn *-rws--x--x    1 root     root 13768 Sep   9 01:01    /usr/bin/chsh *-rws--x--x    1 root     root 5576 Sep   9 01:01    /usr/bin/newgrp *-rwxr-sr-x   1 root     tty 8328 Sep   9 01:01    /usr/bin/write -rwsr-xr-x 1 root     root 21816 Sep   10    16:03    /usr/bin/crontab *-rwsr-xr-x   1 root     root 5896 Nov   23    21:59    /usr/sbin/usernetctl *-rwsr-xr-x   1 root     bin 16488 Jul 2 10:21    /usr/sbin/traceroute -rwxr-sr-x 1 root     utmp 6096 Sep   13    20:11    /usr/sbin/utempter -rwsr-xr-x 1 root     root 14124 Aug   17    22:31    /bin/su *-rwsr-xr-x   1 root     root 53620 Sep   13    20:26    /bin/mount *-rwsr-xr-x   1 root     root 26700 Sep   13    20:26    /bin/umount *-rwsr-xr-x   1 root     root 18228 Sep   10    16:04    /bin/ping *-rwxr-sr-x   1 root     root 3860 Nov   23    21:59    /sbin/netreport -r-sr-xr-x 1 root     root 26309 Oct     11    20:48    /sbin/pwdb_chkpwd · To disable the suid bits on selected programs above, type the following commands: [root@deep /]# chmod a-s /usr/bin/chage [root@deep /]# chmod a-s /usr/bin/gpasswd [root@deep /]# chmod a-s /usr/bin/wall [root@deep /]# chmod a-s /usr/bin/chfn [root@deep /]# chmod a-s /usr/bin/chsh [root@deep /]# chmod a-s /usr/bin/newgrp [root@deep /]# chmod a-s /usr/bin/write [root@deep /]# chmod a-s /usr/sbin/usernetctl [root@deep /]# chmod a-s /usr/sbin/traceroute [root@deep /]# chmod a-s /bin/mount