Re: Linux Hardening

From: Nate Campi (nate@campin.net)
Date: 05/29/02


Date: Tue, 28 May 2002 20:29:38 -0700
From: Nate Campi <nate@campin.net>
To: focus-linux@securityfocus.com

On Mon, May 27, 2002 at 03:58:04PM -0600, Kurt Seifried wrote:
>
> You can remove pretty much all root setuid/setgid bits with the exception of
> sudo, password utilities (passwd, chsh, chfn), newgrp, at, crontab, and a
> handful of others without significantly removing functionality.

All my firewall and loghost builds mount *every* filesystem nosuid. This
doesn't work well on multiuser boxes, you end up needing the suid bit
set on binaries like the ones Mr Seifried listed above. It works great
on boxes where security is critical, and you don't even have to worry
about patches/updates resetting the suid bit on programs ;)

Your mileage may vary.

-- 
"Old programmers never die. They just can't C as well."  -Anon.  



Relevant Pages

  • Re: crontab under user not working
    ... You should check if the suid bit is set for /usr/bin/crontab and it is owned ... by root. ... crontab -e should have no difficulties accessing ... grown men live on skim milk because the baby can't have steak. ...
    (alt.os.linux.suse)
  • Re: newgrp does not work
    ... newgrp: setgid: Operation not permitted ... FreeBSD has 'newgrp' since 5.0-RELEASE. ... /usr/bin/newgrp needs the suid bit set which is not done by default. ...
    (comp.unix.bsd.freebsd.misc)