Setuid
|
Size: 2037
Comment: Added sudo and shadow
|
Size: 2037
Comment: Moving content around. No actual change
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 4: | Line 4: |
| || libpam-foreground || /bin/check-foreground-console || no || no || n/a || Small secure wrapper to read /dev/console|| || cupsys || /usr/bin/lppasswd || no || n/a || n/a || Needs root to read /etc/cups/passwd.* || || fping || /bin/fping || needed || n/a || no || Checks: if ( geteuid() ) {... exit(3); Will patch and send upstream -JeffSchroeder || || util-linux || /bin/mount, /bin/umount || needed || no || n/a || Checks: if (getuid () != geteuid ()). Should check for CAP_SYS_ADMIN capability|| || exim4 || /usr/sbin/exim4 || configurable || possible || n/a || *lines 1581-1582 src/exim.c || || shadow || /bin/su, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd || UNKNOWN || UNKNOWN || UNKNOWN || Needs a review || || sudo || /usr/bin/sudo, /usr/bin/sudoedit || UNKNOWN || UNKNOWN || UNKNOWN || Needs a review || |
|
| Line 5: | Line 12: |
| || fping || /bin/fping || needed || n/a || no || Checks: if ( geteuid() ) {... exit(3); Will patch and send upstream -JeffSchroeder || | |
| Line 7: | Line 13: |
| || util-linux || /bin/mount, /bin/umount || needed || no || n/a || Checks: if (getuid () != geteuid ()). Should check for CAP_SYS_ADMIN capability|| | |
| Line 10: | Line 15: |
| || libpam-foreground || /bin/check-foreground-console || no || no || n/a || Small secure wrapper to read /dev/console|| | |
| Line 12: | Line 16: |
| || exim4 || /usr/sbin/exim4 || configurable || possible || n/a || *lines 1581-1582 src/exim.c || | |
| Line 14: | Line 17: |
| || cupsys || /usr/bin/lppasswd || no || n/a || n/a || Needs root to read /etc/cups/passwd.* || || shadow || /bin/su, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd || UNKNOWN || UNKNOWN || UNKNOWN || Needs a review || || sudo || /usr/bin/sudo, /usr/bin/sudoedit || UNKNOWN || UNKNOWN || UNKNOWN || Needs a review || |
This is a list of setuid applications that need investigation. See the [https://lists.ubuntu.com/archives/ubuntu-hardened/2007-October/000217.html mailinglist post] about this for more information.
Source Package |
setuid Files |
De-rooted |
Capabilities |
Changes Sent Upstream |
Comments |
libpam-foreground |
/bin/check-foreground-console |
no |
no |
n/a |
Small secure wrapper to read /dev/console |
cupsys |
/usr/bin/lppasswd |
no |
n/a |
n/a |
Needs root to read /etc/cups/passwd.* |
fping |
/bin/fping |
needed |
n/a |
no |
Checks: if ( geteuid() ) {... exit(3); Will patch and send upstream -JeffSchroeder |
util-linux |
/bin/mount, /bin/umount |
needed |
no |
n/a |
Checks: if (getuid () != geteuid ()). Should check for CAP_SYS_ADMIN capability |
exim4 |
/usr/sbin/exim4 |
configurable |
possible |
n/a |
*lines 1581-1582 src/exim.c |
shadow |
/bin/su, /usr/bin/chfn, /usr/bin/chsh, /usr/bin/gpasswd, /usr/bin/newgrp, /usr/bin/passwd |
UNKNOWN |
UNKNOWN |
UNKNOWN |
Needs a review |
sudo |
/usr/bin/sudo, /usr/bin/sudoedit |
UNKNOWN |
UNKNOWN |
UNKNOWN |
Needs a review |
iputils |
/bin/ping, /bin/ping6, /bin/arping, /usr/bin/traceroute6.iputils |
yes |
possible |
UNKNOWN |
*line 129 ping.c, *line 217 ping6.c, *line 314 arping.c, *line 343 traceroute6.c |
mtr |
/usr/bin/mtr |
yes |
possible |
n/a |
*line 333 mtr.c |
glibc |
/usr/lib/pt_chown |
yes |
possible |
n/a |
*line 147glibc-2.6.1/login/programs/pt_chown.c |
cdrtools |
/usr/bin/cdrecord |
yes |
possible |
n/a |
*line 1120 cdrecord/cdrecord.c |
eject |
/usr/lib/eject/dmcrypt-get-device |
yes |
possible |
n/a |
*lines 60-61 dmcrypt-get-device.c |
openssh-client |
/usr/lib/openssh/ssh-keysign |
yes |
tricky |
n/a |
*line 176 permanently_set_uid() function |
* - Where in the software the privileges are dropped using the setuid() / setgid() or setreuid() / setresgid() system calls.
Security/Investigation/Setuid (last edited 2013-07-23 07:07:01 by 74)