SUIDFiles

bluefox@icebox:~/Projects$ sudo find /bin /sbin /usr /lib /opt -perm -4000

These files are setuid. Here are recommendations for a "Security center" that was referenced earlier on the ubuntu-devel mailing list with a cheap mock-up. Some of this is just guessing, most is educated guessing after reading the man pages, don't take me at my word Smile :)

  • /bin/su
    • Required to change users. On Ubuntu, we probably only want root to be su'ing
    • Taking the setuid off this would allow only users with sudo access to switch users
    • Removing setuid on this may be an option for the user
  • /usr/bin/sudo, /usr/bin/sudoedit
    • sudo
    • UBUNTU USES THIS LEAVE SETUID ON IT

    • Not sure about sudoedit
    • Do NOT remove setuid on this!
  • /usr/bin/passwd
    • Users use this to change their password
    • Do NOT remove setuid on this!
  • /sbin/unix_chkpwd
    • Used by anything checking passwords as a helper application
    • Do NOT remove setuid on this!
  • /usr/bin/newgrp
    • Log into a group
    • This is rarely used
    • Removing setuid on this may be an option for the user
  • /bin/mount, /bin/umount
    • Mounting and unmounting
    • Disabling setuid on these should not be done by default.
    • Disabling setuid on these will only allow sudoers to mount/unmount things
      • pmount may be allowed for removable media for anyone still
    • Removing setuid on this may be an option for the user
  • /usr/bin/pmount, /usr/bin/pumount
    • Policy mount: Mount and unmount removable media
      • Media must be removable
      • Media must NOT be in fstab
      • Media must NOT already be mounted
      • Media must be a /dev block device
      • Media must not be a locked device
      • Mount point must not have something mounted there
    • Gnome and HAL use this to mount/umount media such as USB pen drives
    • Disabling setuid on these should DEFINITELY not be done by default
    • Disabling setuid on these will require sudo access to mount anything not in /etc/fstab
    • Removing setuid on this may be an option for the user
  • /bin/ping, /bin/ping6, /usr/bin/traceroute.lbl, /usr/sbin/traceroute6, /usr/sbin/arping, /usr/bin/fping, /usr/bin/fping6, /usr/bin/mtr
    • Network testing
    • Normal users normally don't need to do this
    • Shouldn't be disabled by default, but usually it won't much matter
    • Removing setuid on this may be an option for the user
  • /usr/bin/at
    • Cron
    • Probably want to disable this, but not by default
    • Removing setuid on this may be an option for the user
  • /usr/bin/chfn, /usr/bin/chsh
    • Change account information: name, shell, etc
    • Removes some rarely used functionality
    • Removing setuid on this may be an option for the user
  • /usr/bin/gpasswd
    • Group administration tool
    • Probably not used much
    • Removing setuid on this may be an option for the user
  • /usr/bin/lppasswd
    • Cups administration
    • We have other tools for this
    • Removing setuid on this may be an option for the user
  • /usr/lib/pt_chown
    • glicb helper
    • Do NOT remove setuid on this!
  • /usr/lib/hal/hal-dmiwrapper
    • Hal stuff
    • Don't know, don't touch it.
  • /usr/lib/ssh-keysign
    • SSH stuff
    • not used by most people, safe to disable
  • /usr/sbin/pppd
    • PPP, commonly used for dial-up
    • safe to disable if it's not used or is only used by root (i.e. from /etc/init.d/networking)
  • /usr/X11R6/bin/X
    • Must be setuid or X won't work, get it?
    • Do NOT remove setuid on this!
    • Maybe if a console version of the security center is made, this could be an option in the colsole version.
  • /usr/bin/expiry
    • password expiry stuff
    • Don't know, don't touch it.
  • /sbin/cardctl
    • PCMCIA stuff
    • Don't know, don't touch it.

In many cases it might be possible to replace SUID programs by (DBUS?) services. For example, the password management and 'ping'. This would probably be safer as it makes them perform their function in a controlled environment, instead of inheriting any context from the user. It also makes it easier to use/automate from GUI settings panels and so on.

CategoryArchive

SUIDFiles (last edited 2009-11-22 11:08:10 by laanwj)