On Mon, 31 Jan 2005 14:27:18 -0500 Stefan Bruda <[EMAIL PROTECTED]> wrote:
> At 20:18 -0500 on 2005-1-30 Andrew wrote: > > > > I'v been reading cert.org site and found quite a few setuids files > > using this command, as suggested on the site. > > find / -user root -perm -4000 -print > > > > I have the full results both on disk and paper. Many of them > > contain 'passwd', 'login' and 'share' in the name. > > It is not necessarily a security issue. Many executables are > legitimately SUID og SGID. On my system for instance, the following > files are legitimately SUID: > > /usr/X11R6/bin/root-tail, /bin/passwd, /etc/pam.d/cron, > /var/run/jack, /usr/lib/misc/pt_chown, /usr/lib/misc/ssh-keysign, > /usr/bin/nwsfind, /usr/bin/ncpmount, /usr/bin/ncpumount, > /usr/bin/ncplogin, /usr/bin/ncpmap, /usr/sbin/utempter, > /usr/sbin/suexec2, /usr/sbin/traceroute, /usr/X11R6/bin/XFree86, > /usr/X11R6/bin/Xorg, /usr/bin/chage, /usr/bin/chfn, /usr/bin/chsh, > /usr/bin/expiry, /usr/bin/gpasswd, /usr/bin/newgrp, > /usr/bin/passwd, /usr/bin/tracepath, /usr/bin/crontab, > /usr/bin/lppasswd, /usr/bin/xscreensaver, /usr/bin/procmail, > /usr/bin/gpg, /usr/bin/sudo, /usr/libexec/lockspool, > /usr/kde/3.3/bin/artswrapper, /usr/kde/3.3/bin/kgrantpty, > /usr/kde/3.3/bin/fileshareset, /usr/kde/3.3/bin/kpac_dhcp_helper, > /usr/kde/3.3/bin/kcheckpass, /sbin/pam_timestamp_check, > /sbin/unix_chkpwd, /bin/su, /bin/mount, /bin/umount, /bin/ping' > > And these are SGID legitimate files. > > /usr/sbin/sendmail, /usr/bin/man, /usr/bin/write, > /usr/bin/slocate, /usr/bin/dotlockfile, /usr/bin/gnomine, > /usr/bin/same-gnome, /usr/bin/mahjongg, /usr/bin/gtali, > /usr/bin/gnome-stones, /usr/bin/gnotravex, /usr/bin/gnotski, > /usr/bin/glines, /usr/bin/gnobots2, /usr/bin/gnibbles, > /usr/bin/gnometris, /usr/bin/lockfile, > /usr/libexec/gnome-pty-helper, /usr/kde/3.3/bin/kdesud > > I have a small cron job that looks for suspicious set-uid files > regularly (excluding the above), which I actually recommend as a small > improvement in the overall security of the system. > > > I also noticed several weird .hidden files in /tmp directory most > > of them starting with ssh-. I promptly deleted them all and they're > > comming back! :-? > > The ssh- prefixed temporary files come from ssh-agent, see `man > sssh-agent.' I am guessing that you launch the agent at the beginning > of a shell session of something, and this creates those files > (directories actually). > > In terms of security, you may want to stay tuned to the security > advisories, and even so install (and use) a good firewall (hand made > is best in my opinion), a decent log watcher, tripwire > (http://www.tripwire.org/) and chkrootkit (http://www.chkrootkit.org/) > at the minimum. Portsentry and its brethren > (http://sourceforge.net/projects/sentrytools/) are also very useful > tools. Finally, the book `Real World Linux Security' > (http://www.realworldlinuxsecurity.com/) makes for an interesting > reading on the matter. > > Stefan Thanks. Now these are relevant infos! I'd like to know more about the cron job. Lets compare the SUID files I gathered with the list you provided. Maybe some packages are not installed on your system but are on mine. /usr/bin/fliccd, /usr/bin/sperl5.8.3, /usr/bin/rcp, /usr/bin/at, /usr/bin/rlogin, /usr/bin/suidperl, /usr/bin/rsh, /usr/bin/su, /usr/bin/tvtime, /usr/libexec/pt_chown, /usr/libexec/openssh/ssh-keysign, /usr/bin/kpac_dhcp_helper, /usr/sbin/suexec, /usr/sbin/usernetctl, /usr/sbin/kppp, /usr/sbin/userhelper, /usr/lib/news/bin/startinnfeed, /usr/lib/news/bin/inndstart, /usr/lib/mol/0.9.71/bin/mol,/bin/ping6, /sbin/pwdb_chkpwd, /sbin/unix_chkpwd. Observations: - Your su, pt_chown, ssh-keysign, kpac_dhcp_helper, traceroute, are not in the same directory as mine. How comes? _______________________________________________ yellowdog-general mailing list [email protected] http://lists.terrasoftsolutions.com/mailman/listinfo/yellowdog-general HINT: to Google archives, try '<keywords> site:terrasoftsolutions.com'
