Bugtraq mailing list archives
Re: rdist exploit [bsdi]
From: taob () io org (Brian Tao)
Date: Sun, 14 Jul 1996 10:33:14 -0400
On Sat, 13 Jul 1996, Andrew N. Edmond wrote:
chflags noschg /usr/bin/rdist # must take off immutable flag! chmod 000 /usr/bin/rdist # wipe all functionality from this prog
This is a good policy to follow in any case. Make a list of all setuid and setgid binaries and determine if they really need those bits turned on. The default FreeBSD distribution ships with cose to 60 setuid binaries. You can get away with a dozen or less on most systems. If it weren't for the r* commands and sendmail, my shell servers would have only need 4 setuid root binaries (ping, lock, login and traceroute). If you use this as a default policy, many root vulnerabilities will no longer apply to you. This is my list (updated since the one I posted to freebsd-security a couple days ago): cd /sbin ; chmod 500 mount_* *dump *restore route shutdown cd /usr/bin ; chmod 500 *-local at* batch crontab cu key* logger lp* quota rdist su uu[^de]* wall cd /usr/bin ; chmod 555 man cd /usr/sbin ; chmod 500 lp* mrinfo mtrace ppp* sliplogin timedc cd /usr/libexec ; chmod 500 mail.local It's also a good idea to scan for world-writeable directories and chmod 555 them, or remove them altogether (like /var/spool/uucp* if you're not running UUCP). -- Brian Tao (BT300, taob () io org, taob () ican net) Senior Systems and Network Administrator, Internet Canada Corp. "Though this be madness, yet there is method in't"
Current thread:
- Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996, (continued)
- Re: [linux-security] [8lgm]-Advisory-26.UNIX.rdist.20-3-1996 Michael Shields (Jul 05)
- CERT Advisory CA-96.13 - Vulnerability in the dip program CERT Advisory (Jul 09)
- Re: CERT Advisory CA-96.13 - Vulnerability in the dip program Efrain Torres (Jul 09)
- FIRST Conference & Workshop Plans Ron Freund (Jul 09)
- rdist exploit [bsdi] Brian Mitchell (Jul 09)
- Re: rdist exploit [bsdi] Brian Tao (Jul 11)
- Re: rdist exploit [bsdi] Damien Sorder (Jul 11)
- Re: rdist exploit [bsdi] jaeger (Jul 12)
- Re: rdist exploit [bsdi] Andrew N. Edmond (Jul 13)
- Re: rdist exploit [bsdi] Andy Dills (Jul 13)
- Re: rdist exploit [bsdi] Brian Tao (Jul 14)
- at the risk of another flamefest.. *Hobbit* (Jul 14)
- Re: at the risk of another flamefest.. David Stagner (Jul 15)
- Re: at the risk of another flamefest.. Alan L. Wendt (Jul 15)
- hpux 10.0 remote administration Matthew G. Harrigan (Jul 15)
- Re: rdist exploit [bsdi] System Manager (Jul 13)
- Re: rdist exploit [bsdi] Tom Bowman (Jul 12)
- Re: rdist exploit [bsdi] Brian Tao (Jul 12)
- Re: rdist exploit [bsdi] Cosimo Leipold (Jul 13)
- Re: rdist exploit [bsdi] Jack Flory (Jul 13)
- Re: rdist exploit [bsdi] Chris Caputo (Jul 13)