Full Disclosure mailing list archives
Re: Partial Solution to SUID Problems
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sat, 6 Dec 2003 19:07:54 +0100 (CET)
On Sat, 6 Dec 2003, Todd Burroughs wrote:
As I said, this gives you some control and, regardless if you do this, you should have the minimum number of s[ug]id programs to make your system functional. Start with 'su' and 'sendmail' for a server, for a workstation, you'll probably need a couple to run X properly and probably some for convenience.
Hmm, I would disagree... 'su' is not really neccessary to make your system functional, is it? Unless your users need to switch privileges all the time, which is doubtful. The only use of 'su' is when you believe the old and silly rule not to allow direct root logins... but the rule is of very little value - it does not truly make any kind of attack more difficult or less likely to succeed, and having an extra setuid program (a fairly complex one, and with several vulnerabilities in the past) is a high price to pay. But that is a specific case, and 'su' might make sense in some configurations. Other programs - not necessarily. With 'sendmail', there are several ways to allow users and programs to submit mails with no extra privileges - the simplest hack I've seen, which is acceptable for low to medium MTA loads, is to make a minor tweak to sendmail code to read /etc/mail/user.cf when run as non-root, /etc/mail/sendmail.cf when run as root. The first file contains minimal rulesets and relies all mail in interactive mode to a daemon running on port 25. New Sendmail releases also come with privilege separation, although it does use a setgid binary and a local submission queue (which offers a better performance and does not require a daemon listening on a port). With many other vital setuid applications, it is very easy to make them setgid instead, since almost all just need the right to read or write a single file or access a single device or functionality, effectively reducing the exposure when a compromise occurs; passwd, chfn, chsh, etc - on systems with PAM, a single-file password management system can be easily replaced with a more secure design that does not require more than setgid, and, if compromised, cannot be used to modify other user's parameters or add new accounts. There are many ways to significantly improve local security without major paradigm shifts or coding efforts, and some of them could be implemented by default with no particular impact on the base functionality. It is just that people and vendors do not feel like doing it, with very few exceptions. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-12-06 18:50 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Partial Solution to SUID Problems Todd Burroughs (Dec 04)
- Re: Partial Solution to SUID Problems Gino Thomas (Dec 04)
- new dos attack? Geo. (Dec 04)
- Re: new dos attack? Jonathan A. Zdziarski (Dec 04)
- Re: Partial Solution to SUID Problems Ciro (Dec 05)
- Re: Partial Solution to SUID Problems Vladimir Parkhaev (Dec 05)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Henning Brauer (Dec 06)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 06)
- Re: Partial Solution to SUID Problems Valdis . Kletnieks (Dec 06)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 07)
- Re: Partial Solution to SUID Problems Karl DeBisschop (Dec 07)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 07)
- Re: Partial Solution to SUID Problems Valdis . Kletnieks (Dec 06)
- new dos attack? Geo. (Dec 04)
- Re: Partial Solution to SUID Problems Gino Thomas (Dec 04)
- Re: Partial Solution to SUID Problems Markus Friedl (Dec 07)
- Re: Partial Solution to SUID Problems Brian Hatch (Dec 07)
- Re: Partial Solution to SUID Problems Henning Brauer (Dec 08)
- <Possible follow-ups>
- Re: Partial Solution to SUID Problems Paul Szabo (Dec 06)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)