On Mon, 2004-01-05 at 13:59, Marcy Cortes wrote: > Our security group wants us to turn off setuid for all programs or document > why it's there. > > SLES 7 seems to have the following: mount ping umount at chage chfn chsh > crontab gpasswd rlogin rcp rsh sendmail traceroute > > SLES 8 has all the above except for rcp rlogin rsh sendmail & traceroute > > Is everything going to fall apart if I change them? Or can anyone point out > why these programs need it so I can justify it to them? Thanks!
Mount/umount: need access to the actual disk device. Removing setuid removes the ability for non-root users to perform mounts. For S/390 not a big deal, probably. For x86 users, this means that non-root users can't mount floppies or CDs. Ping and traceroute: use raw ICMP packets, which mean you use the raw socket device. If you want anyone besides root to use it, must be setuid. Crontab, at, chfn, chage, chsh, gpasswd: You want users to be able to change system files, and these programs provide controlled interfaces to do this. These need to stay setuid, unless you don't want users to change their own passwords, or you don't want users to be able to create at/cron jobs. rsh, rcp, rlogin: I don't really know why they need to be setuid, but you don't want them on your system anyway. Use ssh instead. It can do everything those can, and it provides a secure transport to do it. Sendmail: needs root privileges to bind to port 25; if you run it as mail rather than root, then it can do the bind and give up the root privileges quickly rather than having to *stay* root, which is even more dangerous. My suggestion is that you don't want to run Sendmail either: it is big and hairy and has a history of security exposures. My favorite MTA is Exim; qmail and postfix are the other popular choices. However, these are still going to run as root or be setuid root, so that they can bind port 25. Adam
