Re: SUID program removal

From: Johannes B. Ullrich (jullrich@euclidian.com)
Date: 10/18/01 

Date: Wed, 17 Oct 2001 21:40:08 -0400 (EDT)
From: "Johannes B. Ullrich" <jullrich@euclidian.com>
To: Pacifi3r <pacifi3r@hotmail.com>
Subject: Re: SUID program removal
Message-ID: <Pine.LNX.4.33.0110172116510.15883-100000@johannes.euclidian.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It all depends of course as to how restrictive you want to be...
For a tools that helps guide you through the process, try Bastille
(http://bastille-linux.sourceforge.net/).

The basic idea is that you can take if off from whatever program you don't
want users other than root to run.

One compromise I find myself using: Setup a group of trusted users. (e.g.
'trusted'..). Make suid programs executable by this group.
e.g. chown root:trusted /bin/ping
     chmod 4750 /bin/ping
...

Here a list I have hanging around from an unpatched RedHat install (but
not just base install):

CD Writer stuff. only required to be suid root if you want regular users
to burn CDs:
/usr/bin/cdda2wav
/usr/bin/cdrecord
/usr/bin/readcd
/usr/bin/mkisofs

you need at to be able to run other people's jobs.
/usr/bin/at

running perl with suid bit requires these
/usr/bin/suidperl
/usr/bin/sperl5.6.0

all the 'r' commands should just be removed.. rpm -ev rsh
/usr/bin/rcp
/usr/bin/rlogin
/usr/bin/rsh

only root needs to change password expiration. Has to be suid root if you
want users to check their password expiration
/usr/bin/chage

used to add groups and such. Does not need suid if only root is allowed to
administer groups.
/usr/bin/gpasswd

allows users to change passwords. Not required if you only allow ssh with
keys or if only root changes passwords (second option is probably not
good)
/usr/bin/passwd

allow users to play with finger settings .... decide if it is important
enough...
/usr/bin/chfn

allow users to change login shell. suid can be removed, but users have to
ask root to change shell for them.
/usr/bin/chsh

switch groups.. probably required on most systems
/usr/bin/newgrp

ssh should stay suid...
/usr/bin/ssh

crontab should stay suid...
/usr/bin/crontab

required for kde to check password. if you don't run kde and see this, do
a rpm -ev kdebase and get rid of it.
/usr/bin/kcheckpass

nntp stuff... another case for rpm -ev ...
/usr/bin/inndstart
/usr/bin/rnews
/usr/bin/startinnfeed

required for netware... rpm -ev in my case...
/usr/bin/nwsfind

decide if you need it or not.
/usr/bin/sudo

uucp/dialup stuff... I delete it usually.
/usr/bin/cu
/usr/bin/uucp
/usr/bin/uuname
/usr/bin/uustat
/usr/bin/uux

another file system maker required to write CDs.
/usr/bin/mkhybrid

Amanda (tape backup) stuff. if you need it, keep it suid. if not, remove
it alltogether.
/usr/lib/amanda/calcsize
/usr/lib/amanda/killpgrp
/usr/lib/amanda/rundump
/usr/lib/amanda/runtar
/usr/lib/amanda/dumper
/usr/lib/amanda/planner

A lot of people disable suid on traceroute and ping. Decide if your users
need it or not.
/usr/sbin/traceroute
/bin/ping

sendmail... I like to keep it and keep suid on it. You need to keep it
suid root.
/usr/sbin/sendmail

GUI useradmin/network stuff.. you will need to keep it suid root if you
would like your users to disable/enable network interfaces.
/usr/sbin/usernetctl
/usr/sbin/userhelper

required to be suid root in order for apache to run cgi's as the owner of
the cgi.
/usr/sbin/suexec

more amanda (tape backup) stuff.
/usr/sbin/amcheck

more uucp stuff. take suid off
/usr/sbin/uucico
/usr/sbin/uuxqt

part of S/Key one time password system. If you use it, keep it suid.
/usr/sbin/skeyinit

more cd recording...
/usr/sbin/rscsi

you need this if you use X.
/usr/X11R6/bin/Xwrapper

video for linux config script. take suid off.
/usr/local/bin/v4l-conf

network traffic display. take suid off.
/usr/local/sbin/ntop

mount and unmount have to be suid root if you would like to allow users to
mount/unmount files. CD-ROMs for example often have to be mounted by the
user.
/bin/mount
/bin/umount

you will most likely need this if you would like users to be able to
become root (include you).
/bin/su

you will need these two mystery programs. they are used for password
checking and they need to be able to read /etc/shadow
/sbin/pwdb_chkpwd
/sbin/unix_chkpwd

I hope I didn't forget too many...

On Thu, 11 Oct 2001, Pacifi3r wrote:

> Greetz,
> Newbie would like to know which program on a base RedHat 7.1 installed can
> have the SUID bit removed. Base in this instance means that no additional
> package were selected for install.
>
> Thanks
>

- --
- -------
jullrich@sans.org Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7zjL6VOIizK5pIDMRAo4CAKCGZinRSJ3hTvjdCZz+WVlxUUt76ACg0Qo7
09BZ75iBLvRKwAkLpHVkxCo=
=7jW4
-----END PGP SIGNATURE-----

Relevant Pages