setuid and setgid security issues -is system compromized?
Stefan Bruda
bruda at cs.ubishops.ca
Tue Feb 1 07:40:44 MST 2005
At 19:34 -0500 on 2005-1-31 Andrew wrote:
>
> I'd like to know more about the cron job.
Oh, I just dumped the following script in /etc/cron.d/cron.weekly:
#!/bin/sh
echo "Unexpected world-writeable files:"
find / ! -fstype proc -perm -2 ! -type l -ls 2>/dev/null \
| /etc/cron-files/known-writeables
echo "Unexpected SUID files:"
find / ! -fstype proc -perm -4000 -ls 2>/dev/null \
| /etc/cron-files/known-suids
echo "Unexpected SGID files:"
find / ! -fstype proc -perm -2000 -ls 2>/dev/null \
| /etc/cron-files/known-suids \
| /etc/cron-files/known-gids
echo "Unowned files:"
find / ! -fstype proc '(' -nouser -o -nogroup ')' -ls 2>/dev/null
echo "Backups and others:"
find / ! -fstype proc -name \*~ -ls 2>/dev/null
find / ! -fstype proc -name \*.swp -ls 2>/dev/null
where /etc/cron-files/known-writeables contain lines of the form
grep -v '/usr/share/texmf/fonts' | \
grep -v '/var/tmp/portage/.*/work/' | \
grep -v '/tmp/\.ICE-unix' | \
and so on, with all the files that are legitimately world-writeable.
Same goes for /etc/cron-files/known-suids and
/etc/cron-files/known-gids.
> Lets compare the SUID files I gathered with the list you provided.
> Maybe some packages are not installed on your system but are on mine.
>
> /usr/bin/fliccd, /usr/bin/sperl5.8.3, /usr/bin/rcp, /usr/bin/at,
> /usr/bin/rlogin, /usr/bin/suidperl, /usr/bin/rsh, /usr/bin/su,
> /usr/bin/tvtime, /usr/libexec/pt_chown, /usr/libexec/openssh/ssh-keysign,
> /usr/bin/kpac_dhcp_helper, /usr/sbin/suexec, /usr/sbin/usernetctl,
> /usr/sbin/kppp, /usr/sbin/userhelper, /usr/lib/news/bin/startinnfeed,
> /usr/lib/news/bin/inndstart, /usr/lib/mol/0.9.71/bin/mol,/bin/ping6,
> /sbin/pwdb_chkpwd, /sbin/unix_chkpwd.
Those look legitimate at a first sight, though some of them I don't
know about (such as fliccd). There is an rpm switch that checks the
integrity of a given package, this is a good thing to try with
packages owning files you don't know about. It must be that our
collection of packages is different, that goes without saying.
> - Your su, pt_chown, ssh-keysign, kpac_dhcp_helper, traceroute, are
> not in the same directory as mine. How comes?
Umm, I am actually using Gen^H^H^H another Linux distribution on the
machine in question.
Stefan
--
``There's no use trying, one can't believe impossible things.''
``I daresay you haven't had much practice. When I was your age, I
always did it for half an hour a day. Why, sometimes I believed as
many as six impossible things before breakfast.''
--Lewis Carroll, Through the Looking-Glass
More information about the yellowdog-general
mailing list