[gentoo-dev] /sbin /usr/sbin security hole
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Today i've noticed that common user do not have /sbin and /usr/sbin dirs in their PATH but they can start all the tasks from that directories for example on server machine someone could make /sbin/shutdown and turn the server off. For me it is very big security hole. Maybe it has to be set like that, maybe I'm wrong, but if so please tell me why. - -- Paweł Madej aka Nysander Member of QuanTeam | RLU #357047 http://wiki.quanteam.info | Gentoo Linux User http://forum-farmaceutyczne.org | GPG key: 5861680B | keyserver: http://pgp.mit.edu Kielce, Poland | UTF-8 Email Preferred Looking to buy: 6x 73 GB UW3/Ultra160 SCSI 80 pin (SCA) ..::||::.. pair of PentiumIII Slot1 1GHz/ FSB 100 processors ..::||::.. 2x 256 MB SDRAM ECC Registered Got any of this mail me, with prize and shipping costs. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDzO4vgvSMglhhaAsRAid1AJ9UU8uKgDmXVzGWCu+wtiCsutvg3wCeODEQ WNtJXfOxciZCwNB/UwmtLyQ= =hMHo -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] /sbin /usr/sbin security hole
Hi, You probably have /sbin/shutdown set suid, because on all my Gentoo boxes, normal users can't run it, only root can run it. (Permission denied). What is the output of ls -al /sbin/? Greets, Frank Paweł Madej wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello, Today i've noticed that common user do not have /sbin and /usr/sbin dirs in their PATH but they can start all the tasks from that directories for example on server machine someone could make /sbin/shutdown and turn the server off. For me it is very big security hole. Maybe it has to be set like that, maybe I'm wrong, but if so please tell me why. - -- Paweł Madej aka Nysander Member of QuanTeam | RLU #357047 http://wiki.quanteam.info | Gentoo Linux User http://forum-farmaceutyczne.org | GPG key: 5861680B | keyserver: http://pgp.mit.edu Kielce, Poland | UTF-8 Email Preferred Looking to buy: 6x 73 GB UW3/Ultra160 SCSI 80 pin (SCA) ..::||::.. pair of PentiumIII Slot1 1GHz/ FSB 100 processors ..::||::.. 2x 256 MB SDRAM ECC Registered Got any of this mail me, with prize and shipping costs. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDzO4vgvSMglhhaAsRAid1AJ9UU8uKgDmXVzGWCu+wtiCsutvg3wCeODEQ WNtJXfOxciZCwNB/UwmtLyQ= =hMHo -END PGP SIGNATURE- -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] /sbin /usr/sbin security hole
Nysander,If you are running a server where untrusted users have access then you really needto understand Linux security better. I would read some books on Linux security if that isthe case.Good luck DarrylOn 1/17/06, Frank Groeneveld [EMAIL PROTECTED] wrote: Hi,You probably have /sbin/shutdown set suid, because on all my Gentooboxes, normal users can't run it, only root can run it. (Permissiondenied). What is the output of ls -al /sbin/? -- Darryl Wagoner - WA1GONEvil triumphs when good men do nothing.- Edmund Burke [1729-1797]
Re: [gentoo-dev] /sbin /usr/sbin security hole
On Tue, Jan 17, 2006 at 02:17:50PM +0100, Paweł Madej wrote: Hello, Today i've noticed that common user do not have /sbin and /usr/sbin dirs in their PATH but they can start all the tasks from that directories for example on server machine someone could make /sbin/shutdown and turn the server off. For me it is very big security hole. Just because a binary is accessible, doesn't mean the user executing it has the keys to the kingdom- the binary is executing under that user, meaning the execution context can do only what the user can do. This is why setuid can be problematic, it makes the binary execute under the owner rather then user calling it- non root can execute with root privs. Note also I said problematic- there are cases where this is useful/needed (mount for example), just has to be managed carefully. Either way... this isn't a security hole, would suggest you try executing some of the bins- as stated in the other email, this isn't an issue unless the user has gone and flagged those binaries setuid (eg, user did something _really_ dumb). Thread should move over to gentoo-user for further details on setuid (after a bit of googling hopefully :) ~harring pgpxRFSonbMHM.pgp Description: PGP signature
Re: [gentoo-dev] /sbin /usr/sbin security hole
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Frank Groeneveld wrote: Hi, You probably have /sbin/shutdown set suid, because on all my Gentoo boxes, normal users can't run it, only root can run it. (Permission denied). What is the output of ls -al /sbin/? Greets, Frank [EMAIL PROTECTED] ~ $ ls -al /sbin/ razem 6680 drwxr-xr-x 2 root root4096 sty 13 18:17 . drwxr-xr-x 18 root root4096 sty 12 11:20 .. - -rwxr-xr-x 1 root root 14892 gru 21 21:25 agetty - -rwxr-xr-x 1 root root 47780 wrz 16 06:28 arp - -rwxr-xr-x 1 root root 11456 wrz 16 05:53 arping - -rwxr-xr-x 1 root root8092 gru 27 00:33 ata_id - -rwxr-xr-x 1 root root 18516 gru 21 21:23 badblocks - -rwxr-xr-x 1 root root8336 gru 21 21:23 blkid - -rwxr-xr-x 1 root root9212 gru 21 21:25 blockdev - -rwxr-xr-x 1 root root 11932 lis 29 16:39 bootlogd - -rwxr-xr-x 1 root root7552 gru 27 00:33 cdrom_id - -rwxr-xr-x 1 root root 53068 gru 21 21:25 cfdisk - -rwxr-xr-x 1 root root3416 sty 13 18:17 consoletype - -rwxr-xr-x 1 root root4832 gru 27 00:33 create_floppy_devices - -rwxr-xr-x 1 root root4100 gru 21 21:25 ctrlaltdel - -rwx-- 1 root root 89 gru 18 23:08 d2lod_mounter - -rwxr-xr-x 1 root root 65220 gru 21 21:23 debugfs - -rwxr-xr-x 1 root root 36900 gru 29 01:46 depmod - -rwxr-xr-x 1 root root 86500 gru 29 01:46 depmod.old - -rwxr-xr-x 1 root root2077 sty 13 18:17 depscan.sh - -rwxr-xr-x 1 root root 43712 lis 28 23:44 dhcpcd - -rwxr-xr-x 1 root root 10332 gru 21 21:23 dumpe2fs - -rwxr-xr-x 1 root root 140700 gru 21 21:23 e2fsck - -rwxr-xr-x 1 root root 12400 gru 21 21:23 e2image lrwxrwxrwx 1 root root 7 gru 21 21:23 e2label - tune2fs - -rwxr-xr-x 1 root root6096 gru 21 21:25 elvtune - -rwxr-xr-x 1 root root 692 sty 13 18:17 env-update.sh - -rwxr-xr-x 1 root root 82500 gru 21 21:25 fdisk - -rwxr-xr-x 1 root root6884 gru 21 21:23 filefrag lrwxrwxrwx 1 root root 7 gru 21 21:23 findfs - tune2fs - -rwxr-xr-x 1 root root9560 gru 27 00:33 firmware_helper - -rwxr-xr-x 1 root root1712 sty 4 11:01 fix_libtool_files.sh - -rwxr-xr-x 1 root root 18752 gru 21 21:23 fsck - -rwxr-xr-x 1 root root 10904 gru 21 21:25 fsck.cramfs lrwxrwxrwx 1 root root 6 gru 21 21:23 fsck.ext2 - e2fsck lrwxrwxrwx 1 root root 6 gru 21 21:23 fsck.ext3 - e2fsck - -rwxr-xr-x 1 root root 22556 gru 21 21:25 fsck.minix - -rwxr-xr-x 1 root root 18858 sty 13 18:17 functions.sh - -rwxr-xr-x 1 root root9116 gru 29 01:46 generate-modprobe.conf - -rwxr-xr-x 1 root root 34108 gru 29 01:46 genksyms - -rwxr-xr-x 1 root root 135552 lis 29 17:43 grub - -rwxr-xr-x 1 root root 12912 lis 29 17:43 grub-install - -rwxr-xr-x 1 root root2304 lis 29 17:43 grub-md5-crypt - -rwxr-xr-x 1 root root2533 lis 29 17:43 grub-set-default - -rwxr-xr-x 1 root root2473 lis 29 17:43 grub-terminfo - -rwxr-xr-x 1 root root 10984 lis 29 16:39 halt - -rwxr-xr-x 1 root root 56176 gru 31 08:42 hdparm - -rwxr-xr-x 1 root root1160 wrz 16 06:58 hotplug - -rwxr-xr-x 1 root root 29588 gru 21 21:25 hwclock - -rwxr-xr-x 1 root root 807 gru 31 08:42 idectl - -rwxr-xr-x 1 root root 61332 wrz 16 06:28 ifconfig - -rwxr-xr-x 1 root root 35688 lis 29 16:39 init - -rwxr-xr-x 1 root root6836 gru 29 01:46 insmod - -rwxr-xr-x 1 root root 359 gru 29 01:46 insmod_ksymoops_clean - -rwxr-xr-x 1 root root 132680 gru 29 01:46 insmod.old - -rwxr-xr-x 1 root root 472336 gru 29 01:46 insmod.static - -rwxr-xr-x 1 root root 667968 gru 29 01:46 insmod.static.old - -rwxr-xr-x 1 root root1512 lis 29 11:14 installkernel - -rwxr-xr-x 1 root root 12068 wrz 16 06:28 ipmaddr - -rwxr-xr-x 1 root root 16288 wrz 16 06:28 iptunnel lrwxrwxrwx 1 root root 10 gru 29 01:46 kallsyms - insmod.old lrwxrwxrwx 1 root root 17 gru 29 01:46 kallsyms.static - insmod.static.old - -rw-r--r-- 1 root root 0 gru 12 12:28 .keep - -rwxr-xr-x 1 root root 451 gru 29 01:46 kernelversion - -rwxr-xr-x 1 root root 10700 lis 29 16:39 killall5 lrwxrwxrwx 1 root root 10 gru 29 01:46 ksyms - insmod.old lrwxrwxrwx 1 root root 17 gru 29 01:46 ksyms.static - insmod.static.old - -rwxr-xr-x 1 root root 598704 sty 4 12:27 ldconfig - -rwxr-xr-x 1 root root6412 gru 21 21:23 logsave - -rwxr-xr-x 1 root root 45000 gru 21 21:25 losetup lrwxrwxrwx 1 root root 12 gru 29 01:46 lsmod - ../bin/lsmod lrwxrwxrwx 1 root root 10 gru 29 01:46 lsmod.old - insmod.old lrwxrwxrwx 1 root root 13 gru 29 01:46 lsmod.static - insmod.static - -rwxr-xr-x 1 root root 51166 sty 13 18:17 MAKEDEV - -rwxr-xr-x 1 root root 12516 wrz 16 06:28 mii-tool - -rwxr-xr-x 1 root root 31768 gru 21 21:23 mke2fs - -rwxr-xr-x 1 root root5368 gru 21 21:25 mkfs - -rwxr-xr-x 1 root root8584 gru 21 21:25 mkfs.bfs - -rwxr-xr-x 1 root root
Re: [gentoo-dev] /sbin /usr/sbin security hole
On 1/17/06, Paweł Madej [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] ~ $ ls -al /sbin/ Please don't bother the devs with this anymore. We will be happy to explain the intricacies of unix permissions on gentoo-user. -Richard -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] /sbin /usr/sbin security hole
Pawe?? Madej [EMAIL PROTECTED] wrote: Frank Groeneveld wrote: You probably have /sbin/shutdown set suid, because on all my Gentoo boxes, normal users can't run it, only root can run it. (Permission denied). What is the output of ls -al /sbin/? [EMAIL PROTECTED] ~ $ ls -al /sbin/ [snip] - -rwxr-xr-x 1 root root 10984 lis 29 16:39 halt [snip] - -rwxr-xr-x 1 root root 19424 lis 29 16:39 shutdown [snip] Looks to be in order. If you run halt or shutdown as a non-root user, you should get a terse refusal. shutdown will also give you a standard usage dump. pts://[EMAIL PROTECTED]:3/ halt halt: must be superuser. pts://[EMAIL PROTECTED]:3/ shutdown shutdown: you must be root to do that! Usage:shutdown [-akrhPHfFnc] [-t sec] time [warning message] [snip] -- mount /dev/wyrm /mnt/bed ; sleep 28800 -- gentoo-dev@gentoo.org mailing list
