From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 743 invoked by uid 1002); 3 Jun 2003 20:16:15 -0000 Mailing-List: contact gentoo-dev-help@gentoo.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@gentoo.org Received: (qmail 31650 invoked from network); 3 Jun 2003 20:16:15 -0000 From: Ned Ludd Reply-To: solar@gentoo.org To: gentoo-dev@gentoo.org Content-Type: text/plain Organization: Gentoo Linux (Hardened) Message-Id: <1054671011.20032.320.camel@simple> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2- Date: 03 Jun 2003 16:10:12 -0400 Content-Transfer-Encoding: 7bit Subject: [gentoo-dev] Towards less insecure permissions on gentoo X-Archives-Salt: bb5e137d-1d2f-4f6b-a6d9-6627344d4c8a X-Archives-Hash: 08d0e1007643a309db6593df2682454d Alot of the suid binarys that get installed on a gentoo system seem to have had there default permissions overlooked. Today we will cover group and other readable bits and why I think they should be removed on installed setid ELF's. Alot of the common buffer overflows exploits these days rely on knowing a predefined offsets or relocation addresses. Sometimes these offsets are not known to the exploit itself at compile time and the author often leaves it up to the local attacker to find the offsets using tools such as objdump,readelf,examminer. Now if the local attacker is unable read the binary he/she wont be able to discover these offsets thus making future exploitation harder to exploit on a gentoo system. The "least privilege" rule, strictly applied, can save us from a lot of unexpected trouble. You can use the following command to see what setid files you have and what port they came from. -requires gentoolkit find / \( -perm 04000 -o -perm -02000 \) -type f -ls 2> /dev/null | while read line; do suid=`echo $line | awk '{print $11}'` ; echo $line "[`qpkg -nc -f $suid`]" ; done Over the next week or so I will be looking over the permissions of eveything I use and offering unified diffs/patches when/where feasible. If you currently are a maintainer of a port that installs files 4755(I hope you all know who you are) please try to get your port to install 4711 or with even less privs. However if your program is a setid executable script then you should leave the permissions alone. Below is a suggested patch to the current util-linux ebuild. http://cvs.gentoo.org/~solar/util-linux-2.11z-r4.ebuild.diff -- Ned Ludd Gentoo Linux (Hardened) -- gentoo-dev@gentoo.org mailing list