[118] in linux-security and linux-alert archive
Re: "Find all the SUID programs." Fine. So which *should* be SUID?
daemon@ATHENA.MIT.EDU (Panzer Boy)
Sun Mar 12 07:14:36 1995
To: linux-security@tarsier.cv.nrao.edu
From: panzer@dhp.com (Panzer Boy)
Date: 12 Mar 1995 03:13:23 -0500
Reply-To: linux-security@tarsier.cv.nrao.edu
Andrew Cromarty (andy@distrib.com) wrote:
: 1. What's a good Linux-specific spec for file permissions, against which
: we can compare our "find" and "cops" output? I.e. what *should* be
: SUID, SGID, world-unreadable, etc.?
Well. Here's my output. Not a defacto standard in any way. But at
least a start. ('lusers' group is made up entirely of people who have
physical access to the machine)
*** X11 Stuff, both R5 & R6, Servers are only runable by 'lusers'
-rwsr-x--- 1 root lusers 947204 May 8 1994 /usr2/X11/bin/XF86_S3
-rwsr-x--- 1 root lusers 951300 May 8 1994 /usr2/X11/bin/XF86_SVGA
-rwsr-xr-x 1 root bin 9220 Mar 10 1994 /usr2/X11/bin/xload
-rwsr-xr-x 1 root bin 119812 Mar 10 1994 /usr2/X11/bin/xterm
-rwsr-xr-x 1 root bin 119812 May 6 1994 /usr2/X11/bin/color_xterm
-rwsr-x--- 1 root lusers 1474029 Sep 28 03:52 /usr2/X11R6/bin/XF86_S3
-rwsr-x--- 1 root lusers 1611448 Sep 28 03:52 /usr2/X11R6/bin/XF86_SVGA
-rwsr-xr-x 1 root root 119812 Sep 28 03:50 /usr2/X11R6/bin/xterm
-rwsr-xr-x 1 root root 9220 Sep 28 04:04 /usr2/X11R6/bin/xload
*** Procmail, Screen, and tin (suid news)
-rwsr-sr-x 1 root mail 41988 Aug 12 1994 /usr2/local/bin/procmail
-rwsr-xr-x 1 root root 144388 May 6 1994 /usr2/local/bin/screen
-rwsr-sr-x 1 news news 222212 Aug 12 1994 /usr2/local/bin/tin
*** SVGALib stuff, again only 'lusers' if at all
-rwsr-x--- 1 root lusers 1916 May 26 1994 /usr2/local/bin/restorefont
-rwsr-x--- 1 root lusers 2140 May 26 1994 /usr2/local/bin/restorepalette
-rwsr-x--- 1 root lusers 1900 May 26 1994 /usr2/local/bin/restoretextmode
-rwsr-x--- 1 root lusers 1236 May 26 1994 /usr2/local/bin/dumpreg
-rwsr-x--- 1 root lusers 2048 May 26 1994 /usr2/local/bin/fix132x43
-rwsr-x--- 1 root lusers 1420 Sep 22 23:20 /usr2/local/bin/setmclk
*** Skey stuff, modifies a file similar to passwd
-rwsr-xr-x 1 root root 29700 Sep 22 23:20 /usr2/local/bin/skey.init
*** System utils that mod files in restricted space
-rwsr-xr-x 1 root bin 10120 Mar 14 1994 /usr/bin/at
-r-sr-xr-x 1 root bin 17412 Dec 12 1993 /usr/bin/crontab
-rws--x--x 1 root root 21508 May 6 1994 /usr/bin/chage
-rwsr-xr-x 1 root root 17412 May 6 1994 /usr/bin/chfn
-rwsr-xr-x 1 root root 13316 May 6 1994 /usr/bin/chsh
*** Printing only for 'lusers'
-rwsr-s--- 1 root lusers 9300 Jul 2 1994 /usr/bin/lpq
-rwsr-s--- 1 root lusers 10008 Jul 2 1994 /usr/bin/lpr
-rwsr-s--- 1 root lusers 8772 Jul 2 1994 /usr/bin/lprm
*** Deliver should probably be in /usr/local/bin, but slackware has strange
way of installing some packages
-rws--x--x 1 root mail 37892 Dec 1 1993 /usr/bin/deliver
*** To allow the program to initiate connections from lower ports, though
I for the most part don't see why this needs to be done.
-r-sr-xr-x 1 root bin 13316 Feb 12 1994 /usr/bin/rlogin
-r-sr-xr-x 1 root bin 9220 Feb 12 1994 /usr/bin/rsh
-r-sr-xr-x 1 root root 5584 Feb 2 1994 /usr/bin/traceroute
*** UUCP stuff, if you never plan on using it, get rid of uucp access
-r-sr-xr-x 1 uucp bin 91140 Dec 2 1993 /usr/bin/cu
-r-sr-xr-x 1 uucp bin 62468 Dec 2 1993 /usr/bin/uux
-r-sr-xr-x 1 uucp bin 58372 Dec 2 1993 /usr/bin/uucp
-r-sr-xr-x 1 uucp bin 29700 Dec 2 1993 /usr/bin/uuname
-r-sr-xr-x 1 uucp bin 70660 Dec 2 1993 /usr/bin/uustat
-r-sr-s--- 1 uucp uucp 41988 Dec 2 1993 /usr/lib/uucp/uuchk
---s--s--x 1 uucp uucp 164868 Dec 2 1993 /usr/lib/uucp/uucico
-r-sr-s--- 1 uucp uucp 70660 Dec 2 1993 /usr/lib/uucp/uuconv
-r-sr-s--- 1 uucp uucp 300 Dec 2 1993 /usr/lib/uucp/uusched
---s--s--x 1 uucp uucp 70660 Dec 2 1993 /usr/lib/uucp/uuxqt
*** We run pgp-sendmail, which sits in front of sendmail.real, non-suid
-r-sr-sr-x 1 root mail 160772 Mar 10 18:50 /usr/lib/sendmail.real
*** /bin/login doesn't need to suid root, as it should for the most part
only be called by root owned procs. ping for icmp. passwd stuff for
access to restricted shells.
-r-s--x--x 1 root root 29700 Aug 21 1994 /bin/login
-r-s--x--x 1 root root 50180 Aug 28 1994 /bin/login.skey
-r-s--x--x 1 root root 16956 Nov 16 1993 /bin/su
-r-s--x--x 1 root root 41988 Aug 28 1994 /bin/su.skey
-rws--x--x 1 root bin 8716 Feb 12 1994 /bin/ping
-rws--x--x 1 root root 25604 May 6 1994 /bin/passwd
-rws--x--x 1 root root 17412 May 6 1994 /bin/gpasswd
-rws--x--x 1 root root 17412 May 6 1994 /bin/newgrp
Those are mine, though if someone notices something that shouldn't be as
it is, please email me... :)
Also remember anything run from rc files will be run as root, and
anything run from inetd will be also.
--
-Matt (panzer@dhp.com) DI-1-9026
"That which can never be enforced should not be prohibited."
