Re: SUID program removal

From: Scott Gifford (sgifford@suspectclass.com)
Date: 10/18/01


To: "Pacifi3r" <pacifi3r@hotmail.com>
Subject: Re: SUID program removal
From: Scott Gifford <sgifford@suspectclass.com>
Date: 18 Oct 2001 01:20:39 -0400
Message-ID: <ly3d4hcymw.fsf@gfn.org>


"Pacifi3r" <pacifi3r@hotmail.com> writes:

> Greetz,
> Newbie would like to know which program on a base RedHat 7.1 installed can
> have the SUID bit removed. Base in this instance means that no additional
> package were selected for install.

Most of them. Get a list of all setuid and setgid programs on the
system, figure out which ones you will never need, and remove their
RPMS. For ones you will sometimes need, consider whether anybody
besides root will need to use them. On some of my systems, for
example, only root needs to traceroute, so I remove the setuid bit; on
nearly all of them, the "chfn", "chsh", etc. programs are more risk
than they're worth, so I remove their special privileges. With what's
left, consider whether it can be replaced with a safer alternative; I
generally remove sendmail and install qmail on systems that need mail,
for example. For whatever's left, leave the special permissions, and
pay very close attention to security mailing lists about those
programs.

Here's the command I use to find setXid programs on my system:

    find / /usr -xdev -type f -a \( -perm -04000 -o -perm -02000 \) -ls >/tmp/setXid.list

Good luck,

----ScottG.