I'm moging this to the main PLUG list. On Sun, Aug 26, 2001 at 04:25:50PM +0800, Fritz Mesedilla wrote: > i wasn't able to attend the linux 10. > > but i read in your slides about: "find / -perm +4000 -print" > > i got a lot of files. what do i have to do with it now? > how do i make it secure? > Figure out what each file does. My slides gave guidelines on how to assess the usefulness of each setuid root binary. Each such program is a potential security risk, and my guidelines are supposed to help you decide the gravity of the risk and determine what you can do about it. 1. Do you really need the program? If not, get rid of it. You'll sleep better at night that way. 2. Can you get rid of setuid without affecting the system's operation? For example, the mount command is installed setuid root on a lot of systems. Most of the time only root needs to use the mount command, so you can safely get rid of the suid bit. 3. Is there a way to set up the program so it doesn't need elevated privileges? For example, the SSH client only needs setuid privs because it uses privileged ports to communicate by default. You can safely get rid of setuid if you reconfigure it to use non-privileged ports (there are some caveats with this though, read the ssh man page for more details). 4. Who really needs to use this program? Most of the time only ordinary users, not system accounts, not restricted accounts, not accounts that have no shells, etc. There are ways of moving these programs around so only a few programs can execute them or even see them (e.g. by setting permission bits and groups). 5. Can you mitigate the ability of the program to do only what it needs to do and no more? A good example is BIND. Those who knew how to set up BIND so that it ran in a chroot jail slept a lot better when the li0n worm struck. Ask these questions for each program you've found that's setuid root, and take appropriate action. -- Rafael R. Sevilla <[EMAIL PROTECTED]> +63(2) 8177746 ext. 8311 Programmer, InterdotNet Philippines +63(917) 4458925 http://dido.engr.internet.org.ph/ OpenPGP Key ID: 0x5CDA17D8 _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
