[122] in linux-security and linux-alert archive
Re: "Find all the SUID programs." Fine. So which *should* be SUID?
daemon@ATHENA.MIT.EDU (R.E.Wolff@et.tudelft.nl)
Sun Mar 12 13:29:14 1995
To: linux-security@tarsier.cv.nrao.edu
Date: Sun, 12 Mar 1995 19:00:06 +0100 (MET)
In-Reply-To: <3juaf3$os6@dhp.com> from "Panzer Boy" at Mar 12, 95 03:13:23 am
From: R.E.Wolff@et.tudelft.nl
Reply-To: linux-security@tarsier.cv.nrao.edu
>
> Andrew Cromarty (andy@distrib.com) wrote:
> least a start. ('lusers' group is made up entirely of people who have
> physical access to the machine)
>
> *** X11 Stuff, both R5 & R6, Servers are only runable by 'lusers'
> -rwsr-xr-x 1 root bin 9220 Mar 10 1994 /usr2/X11/bin/xload
> -rwsr-xr-x 1 root root 9220 Sep 28 04:04 /usr2/X11R6/bin/xload
Thes ones were, but no longer are suid on my system. I dont think it
should be set-uid on Linux.
> *** Procmail, Screen, and tin (suid news)
> -rwsr-sr-x 1 news news 222212 Aug 12 1994 /usr2/local/bin/tin
I wouldn't trust "tin".
> *** System utils that mod files in restricted space
> -rwsr-xr-x 1 root root 17412 May 6 1994 /usr/bin/chfn
> -rwsr-xr-x 1 root root 13316 May 6 1994 /usr/bin/chsh
I'd group these with "passwd".
> *** Deliver should probably be in /usr/local/bin, but slackware has strange
> way of installing some packages
> -rws--x--x 1 root mail 37892 Dec 1 1993 /usr/bin/deliver
for your information: the "rule" is that slackware comes with a clean
/usr/local. All that ends up there is yours.....
>
> *** To allow the program to initiate connections from lower ports, though
> I for the most part don't see why this needs to be done.
> -r-sr-xr-x 1 root bin 13316 Feb 12 1994 /usr/bin/rlogin
> -r-sr-xr-x 1 root bin 9220 Feb 12 1994 /usr/bin/rsh
> -r-sr-xr-x 1 root root 5584 Feb 2 1994 /usr/bin/traceroute
rlogin tells the other side "this user is called wolff, can you let him
in". If you allow rlogind to accept this from any port, any user could
write a new rlogin program that pretends to be anyone
Roger.
