Securing-Optimizing-RH-Linux-1_2_58
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
58
32. Bits from root-owned programs
A regular user will be able to run program as root if this program is set to SUID root. All programs
and files in your computer with the s bits appearing on it mode, have the SUID (-rwsr-xr-x) or
SGID (-r-xr-sr-x) bit enable. Because these programs grant special privileges to the user who is
executing them, it is important to remove the 's' bits from root-owned programs that won't
absolutely require such privilege. This can be accomplished by executing the command 'chmod
a-s' with the name(s) of the SUID/SGID files as it's arguments.
Such programs include, but aren't limited to:
·
Programs you never use.
·
Programs that you don't want any non-root users to run.
·
Programs you use occasionally, and don't mind having to su (1) to root to run.
We've placed an asterisk (*) next to each program we personally might disable and consider to
be not absolutely required for the duty work of our server. Remember that your system needs
some suid root programs to work properly, so be careful.
·
To find all files with the s bits from root-owned programs, use the command:
[root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls lg {} \;
*-rwsr-xr-x 1 root root
35168
Sep 22 23:35 /usr/bin/chage
*-rwsr-xr-x 1 root root
36756
Sep 22 23:35 /usr/bin/gpasswd
*-r-xr-sr-x
1 root tty
6788
Sep 6
18:17 /usr/bin/wall
-rwsr-xr-x
1 root root
33152
Aug 16 16:35 /usr/bin/at
-rwxr-sr-x
1 root man
34656
Sep 13 20:26 /usr/bin/man
-r-s--x--x
1 root root
22312
Sep 25 11:52 /usr/bin/passwd
-rws--x--x
2 root root
518140 Aug 30 23:12 /usr/bin/suidperl
-rws--x--x
2 root root
518140 Aug 30 23:12 /usr/bin/sperl5.00503
-rwxr-sr-x
1 root slocate
24744
Sep 20 10:29 /usr/bin/slocate
*-rws--x--x 1 root root
14024
Sep 9
01:01 /usr/bin/chfn
*-rws--x--x 1 root root
13768
Sep 9
01:01 /usr/bin/chsh
*-rws--x--x 1 root root
5576
Sep 9
01:01 /usr/bin/newgrp
*-rwxr-sr-x 1 root tty
8328
Sep 9
01:01 /usr/bin/write
-rwsr-xr-x
1 root root
21816
Sep 10 16:03 /usr/bin/crontab
*-rwsr-xr-x 1 root root
5896
Nov 23 21:59 /usr/sbin/usernetctl
*-rwsr-xr-x 1 root bin
16488
Jul
2
10:21 /usr/sbin/traceroute
-rwxr-sr-x
1 root utmp
6096
Sep 13 20:11 /usr/sbin/utempter
-rwsr-xr-x
1 root root
14124
Aug 17 22:31 /bin/su
*-rwsr-xr-x 1 root root
53620
Sep 13 20:26 /bin/mount
*-rwsr-xr-x 1 root root
26700
Sep 13 20:26 /bin/umount
*-rwsr-xr-x 1 root root
18228
Sep 10 16:04 /bin/ping
*-rwxr-sr-x 1 root root
3860
Nov 23 21:59 /sbin/netreport
-r-sr-xr-x
1 root root
26309
Oct 11 20:48 /sbin/pwdb_chkpwd
·
To disable the suid bits on selected programs above, type the following commands:
[root@deep /]# chmod a-s /usr/bin/chage
[root@deep /]# chmod a-s /usr/bin/gpasswd
[root@deep /]# chmod a-s /usr/bin/wall
[root@deep /]# chmod a-s /usr/bin/chfn
[root@deep /]# chmod a-s /usr/bin/chsh
[root@deep /]# chmod a-s /usr/bin/newgrp
[root@deep /]# chmod a-s /usr/bin/write
[root@deep /]# chmod a-s /usr/sbin/usernetctl
[root@deep /]# chmod a-s /usr/sbin/traceroute
[root@deep /]# chmod a-s /bin/mount