Re: SUID program removal

From: Scott Gifford (sgifford@suspectclass.com)
Date: 10/18/01


To: "Pacifi3r" <pacifi3r@hotmail.com>
Subject: Re: SUID program removal
From: Scott Gifford <sgifford@suspectclass.com>
Date: 18 Oct 2001 01:20:39 -0400
Message-ID: <ly3d4hcymw.fsf@gfn.org>


"Pacifi3r" <pacifi3r@hotmail.com> writes:

> Greetz,
> Newbie would like to know which program on a base RedHat 7.1 installed can
> have the SUID bit removed. Base in this instance means that no additional
> package were selected for install.

Most of them. Get a list of all setuid and setgid programs on the
system, figure out which ones you will never need, and remove their
RPMS. For ones you will sometimes need, consider whether anybody
besides root will need to use them. On some of my systems, for
example, only root needs to traceroute, so I remove the setuid bit; on
nearly all of them, the "chfn", "chsh", etc. programs are more risk
than they're worth, so I remove their special privileges. With what's
left, consider whether it can be replaced with a safer alternative; I
generally remove sendmail and install qmail on systems that need mail,
for example. For whatever's left, leave the special permissions, and
pay very close attention to security mailing lists about those
programs.

Here's the command I use to find setXid programs on my system:

    find / /usr -xdev -type f -a \( -perm -04000 -o -perm -02000 \) -ls >/tmp/setXid.list

Good luck,

----ScottG.



Relevant Pages

  • Re: SUID program removal
    ... > Newbie would like to know which program on a base RedHat 7.1 installed can ... > package were selected for install. ... You can also use bastille to help secure your machine. ...
    (Focus-Linux)
  • Re: SUID program removal
    ... > Newbie would like to know which program on a base RedHat 7.1 installed can ... > package were selected for install. ...
    (Focus-Linux)
  • SUID program removal
    ... Newbie would like to know which program on a base RedHat 7.1 installed can ... package were selected for install. ...
    (Focus-Linux)
  • Re: Some DCL wish items
    ... This sounds much too much like setuid on Unix systems. ... setuid can be a massive security hole on Unix. ... >Modify the Install utility to be able to install non-executable files. ...
    (comp.os.vms)
  • Re: Graphical-Installation
    ... > yesterday I try to install graphical debia first ... This isn't asking if you want to install gnuplot; ... want to install gnuplot in the "setuid" manner. ... > if i have (PS2 keyboard) then what option should me ...
    (Debian-User)