372 lines
7.5 KiB
HTML
372 lines
7.5 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
> Bits from root-owned programs
|
|
</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.60"><LINK
|
|
REL="HOME"
|
|
TITLE="Securing and Optimizing Linux"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="General System Security"
|
|
HREF="gen-syssecured.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Tighten scripts under /etc/rc.d/"
|
|
HREF="chap5sec51.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="
|
|
The kernel tunable parameters"
|
|
HREF="chap5sec53.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Securing and Optimizing Linux: RedHat Edition -A Hands on Guide</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap5sec51.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 5. General System Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="chap5sec53.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="AEN3975"
|
|
>5.23. Bits from root-owned programs</A
|
|
></H1
|
|
><P
|
|
> A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the <TT
|
|
CLASS="literal"
|
|
>s</TT
|
|
> bits appearing on its mode, have
|
|
the <SPAN
|
|
CLASS="acronym"
|
|
>SUID</SPAN
|
|
> <TT
|
|
CLASS="computeroutput"
|
|
>-rwsr-xr-x</TT
|
|
> or <SPAN
|
|
CLASS="acronym"
|
|
>SGID</SPAN
|
|
> <TT
|
|
CLASS="computeroutput"
|
|
>-r-xr-sr-x</TT
|
|
> bit enabled. Because these programs grant special privileges
|
|
to the user who is executing them, it is important to remove the <TT
|
|
CLASS="literal"
|
|
>s</TT
|
|
> bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the
|
|
command <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> <TT
|
|
CLASS="literal"
|
|
>a-s</TT
|
|
> with the name(s) of the <SPAN
|
|
CLASS="acronym"
|
|
>SUID/SGID</SPAN
|
|
> files as its arguments.
|
|
Such programs include, but aren't limited to:
|
|
<P
|
|
></P
|
|
><UL
|
|
COMPACT="COMPACT"
|
|
><LI
|
|
STYLE="list-style-type: disc"
|
|
><P
|
|
> Programs you never use.
|
|
</P
|
|
></LI
|
|
><LI
|
|
STYLE="list-style-type: disc"
|
|
><P
|
|
>
|
|
Programs that you don't want any non-root users to run.
|
|
</P
|
|
></LI
|
|
><LI
|
|
STYLE="list-style-type: disc"
|
|
><P
|
|
>
|
|
Programs you use occasionally, and don't mind having to <B
|
|
CLASS="command"
|
|
>su</B
|
|
> to root to run.
|
|
</P
|
|
></LI
|
|
></UL
|
|
>
|
|
</P
|
|
><P
|
|
> We've placed an asterisk * next to each program we personally might disable and consider to be not absolutely required for the working of our
|
|
server. Remember that your system needs some suid root programs to work properly, so be careful. make your choices based on your requirements.
|
|
To find all files with the <TT
|
|
CLASS="literal"
|
|
>s</TT
|
|
> bits from root-owned programs, use the command:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep]#<B
|
|
CLASS="command"
|
|
>find</B
|
|
> / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls 'lg {} \;
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="programlisting"
|
|
> *-rwsr-xr-x 1 root root 35168 Sep 22 23:35 /usr/bin/chage
|
|
*-rwsr-xr-x 1 root root 36756 Sep 22 23:35 /usr/bin/gpasswd
|
|
*-r-xr-sr-x 1 root tty 6788 Sep 6 18:17 /usr/bin/wall
|
|
-rwsr-xr-x 1 root root 33152 Aug 16 16:35 /usr/bin/at
|
|
-rwxr-sr-x 1 root man 34656 Sep 13 20:26 /usr/bin/man
|
|
-r-s--x--x 1 root root 22312 Sep 25 11:52 /usr/bin/passwd
|
|
-rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/suidperl
|
|
-rws--x--x 2 root root 518140 Aug 30 23:12 /usr/bin/sperl5.00503
|
|
-rwxr-sr-x 1 root slocate 24744 Sep 20 10:29 /usr/bin/slocate
|
|
*-rws--x--x 1 root root 14024 Sep 9 01:01 /usr/bin/chfn
|
|
*-rws--x--x 1 root root 13768 Sep 9 01:01 /usr/bin/chsh
|
|
*-rws--x--x 1 root root 5576 Sep 9 01:01 /usr/bin/newgrp
|
|
*-rwxr-sr-x 1 root tty 8328 Sep 9 01:01 /usr/bin/write
|
|
-rwsr-xr-x 1 root root 21816 Sep 10 16:03 /usr/bin/crontab
|
|
*-rwsr-xr-x 1 root root 5896 Nov 23 21:59 /usr/sbin/usernetctl
|
|
*-rwsr-xr-x 1 root bin 16488 Jul 2 10:21 /usr/sbin/traceroute
|
|
-rwxr-sr-x 1 root utmp 6096 Sep 13 20:11 /usr/sbin/utempter
|
|
-rwsr-xr-x 1 root root 14124 Aug 17 22:31 /bin/su
|
|
*-rwsr-xr-x 1 root root 53620 Sep 13 20:26 /bin/mount
|
|
*-rwsr-xr-x 1 root root 26700 Sep 13 20:26 /bin/umount
|
|
*-rwsr-xr-x 1 root root 18228 Sep 10 16:04 /bin/ping
|
|
*-rwxr-sr-x 1 root root 3860 Nov 23 21:59 /sbin/netreport
|
|
-r-sr-xr-x 1 root root 26309 Oct 11 20:48 /sbin/pwdb_chkpwd
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
</P
|
|
><P
|
|
> To disable the suid bits on selected programs above, type the following commands:
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
> [root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/chage
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/gpasswd
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/wall
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/chfn
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/chsh
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/newgrp
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/bin/write
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/sbin/usernetctl
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /usr/sbin/traceroute
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /bin/mount
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /bin/umount
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /bin/ping
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>chmod</B
|
|
> a-s /sbin/netreport
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
|
|
</P
|
|
><DIV
|
|
CLASS="example"
|
|
><A
|
|
NAME="AEN4016"
|
|
></A
|
|
><P
|
|
><B
|
|
>Example 5-4. Use man pages</B
|
|
></P
|
|
><P
|
|
> If you want to know what those programs do, type <TT
|
|
CLASS="userinput"
|
|
><B
|
|
>man program-name</B
|
|
></TT
|
|
> and read the man page.
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><PRE
|
|
CLASS="screen"
|
|
>
|
|
[root@deep] /# <B
|
|
CLASS="command"
|
|
>man</B
|
|
> netreport
|
|
</PRE
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap5sec51.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="chap5sec53.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Tighten scripts under <TT
|
|
CLASS="filename"
|
|
>/etc/rc.d/</TT
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="gen-syssecured.html"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>The kernel tunable parameters</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |