[576] in linux-security and linux-alert archive
Re: SUID binaries
daemon@ATHENA.MIT.EDU (Bruce Murphy)
Sun Jan 28 13:15:10 1996
To: "Anthony C. Zboralski" <frantic@worldnet.net>
cc: Linux Security <linux-security@tarsier.cv.nrao.edu>
In-reply-to: Your message of "Thu, 25 Jan 1996 21:37:55 +0100."
<Pine.LNX.3.91.960125213638.313A-100000@trashint.sct.fr>
Reply-To: packrat@tartarus.uwa.edu.au
Date: Sun, 28 Jan 1996 13:10:51 +0800
From: Bruce Murphy <packrat@ratbox.rattus.uwa.edu.au>
In message <Pine.LNX.3.91.960125213638.313A-100000@trashint.sct.fr>,
"Anthony C. Zboralski" wrote:
[Mod: Quoting trimmed. --Jeff]
> I checked some of the SUID and here is a list of suspicious SUID binaries
> Should those file really be SUID by default? (Slackware 3.0):
> /usr/bin/chfn 4711 root bin (user can change is real name)
> /usr/bin/fix132x43 6755 root bin (seg fault on my machine)
> /usr/lib/svgalib/* 6755 root bin
> /usr/games/doom/linuxsdoom 4711 root bin (crashes)
> /usr/games/doom/killmouse 4711 root bin
> /usr/games/doom/startmouse 4711 root bin
> /usr/games/sastroid 4711
> /usr/X11R6/bin/xtetris 2711 root bin
> /usr/X11R6/bin/color_xterm 4755 root bin
> /usr/games/abuse-0.31/keydrv
> /usr/X11R6/bin/SuperProbe 4755 root bin
You really shouldm't have *any* games suid root. It just isn't worth
the risk. There's almost certainly going to be more bugs discovered
with the svga stuff. Unsuid /usr/games/*
Superprobe *shouldn't* be suid, I believe that xfree requires the
probing configure to be run as root to work anyway.
chfn need to access the password file. Yes it does need suid to
run. Whether you need chfn is another matter entirely.
I suggest creating a games group/user to handling highscore tables
etc. This will fix the xtetris.
Svgalib? Do you *really* need people running vga apps on the console
of your computer. If you're at all concerned about security then the
console shouldn't be accessable anyway.
Cheers,
Bruce.
--
Packrat (BSc/BE;COSO;Wombat Admin)
Nihil illegitemi carborvndvm.
