neysx 06/09/16 20:48:37 Modified: shb-perms.xml Log: #147760 join lines
Revision Changes Path 1.2 xml/htdocs/doc/en/security/shb-perms.xml file : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.2&view=markup plain: http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?rev=1.2&content-type=text/plain diff : http://sources.gentoo.org/viewcvs.py/gentoo/xml/htdocs/doc/en/security/shb-perms.xml?r1=1.1&r2=1.2 Index: shb-perms.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- shb-perms.xml 1 Jun 2005 15:43:47 -0000 1.1 +++ shb-perms.xml 16 Sep 2006 20:48:37 -0000 1.2 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding='UTF-8'?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.1 2005/06/01 15:43:47 neysx Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/security/shb-perms.xml,v 1.2 2006/09/16 20:48:37 neysx Exp $ --> <!DOCTYPE sections SYSTEM "/dtd/book.dtd"> <!-- The content of this document is licensed under the CC-BY-SA license --> @@ -30,10 +30,8 @@ <body> <pre caption="Finding world-writable files and directories"> -# <i>/usr/bin/find / -type f \( -perm -2 -o -perm -20 \) \ - -exec ls -lg {} \; 2>/dev/null >writable.txt</i> -# <i>/usr/bin/find / -type d \( -perm -2 -o -perm -20 \) \ - -exec ls -ldg {} \; 2>/dev/null >>writable.txt</i> +# <i>find / -type f \( -perm -2 -o -perm -20 \) -exec ls -lg {} \; 2>/dev/null >writable.txt</i> +# <i>find / -type d \( -perm -2 -o -perm -20 \) -exec ls -ldg {} \; 2>/dev/null >>writable.txt</i> </pre> <p> @@ -62,8 +60,7 @@ </p> <pre caption="Finding setuid files"> -# <i>/usr/bin/find / -type f \( -perm -004000 -o -perm -002000 \) \ - -exec ls -lg {} \; 2>/dev/null >suidfiles.txt</i> +# <i>find / -type f \( -perm -004000 -o -perm -002000 \) -exec ls -lg {} \; 2>/dev/null >suidfiles.txt</i> </pre> <p> @@ -95,15 +92,15 @@ <p> By default Gentoo Linux does not have a lot of SUID files (though this depends -on what you installed), but you might get a list like the one above. Most of the -commands should not be used by normal users, only root. Switch off the SUID bit -on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, <c>chsh</c>, <c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> -and <c>traceroute</c> by executing <c>chmod -s</c> on every file. Don't -remove the bit on <c>su</c>, <c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing -setuid from those files will prevent you from <c>su</c>'ing and receiving -mail. By removing the bit (where it is safe to do so) you remove the possibility -of a normal user (or an attacker) gaining root access through any of these -files. +on what you installed), but you might get a list like the one above. Most of +the commands should not be used by normal users, only root. Switch off the SUID +bit on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, <c>chsh</c>, +<c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> and <c>traceroute</c> by +executing <c>chmod -s</c> on every file. Don't remove the bit on <c>su</c>, +<c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing setuid from those files will +prevent you from <c>su</c>'ing and receiving mail. By removing the bit (where +it is safe to do so) you remove the possibility of a normal user (or an +attacker) gaining root access through any of these files. </p> <p> @@ -112,6 +109,7 @@ But if you are running X, you might have some more, since X needs the elevated access afforded by SUID. </p> + </body> </section> <section> -- [email protected] mailing list
