setuid and setgid security issues -is system compromized?

Stefan Bruda bruda at cs.ubishops.ca
Tue Feb 1 07:40:44 MST 2005 

At 19:34 -0500 on 2005-1-31 Andrew wrote:
 >
 > I'd like to know more about the cron job.

Oh, I just dumped the following script in /etc/cron.d/cron.weekly:

    #!/bin/sh
    
    echo "Unexpected world-writeable files:"
    find / ! -fstype proc -perm -2 ! -type l -ls 2>/dev/null \
       | /etc/cron-files/known-writeables
    
    echo "Unexpected SUID files:"
    find / ! -fstype proc -perm -4000 -ls 2>/dev/null \
       | /etc/cron-files/known-suids
    
    echo "Unexpected SGID files:"
    find / ! -fstype proc -perm -2000 -ls 2>/dev/null \
       | /etc/cron-files/known-suids \
       | /etc/cron-files/known-gids
    
    echo "Unowned files:"
    find / ! -fstype proc '(' -nouser -o -nogroup ')' -ls 2>/dev/null
    
    echo "Backups and others:"
    find / ! -fstype proc -name \*~ -ls 2>/dev/null
    find / ! -fstype proc -name \*.swp -ls 2>/dev/null

where /etc/cron-files/known-writeables contain lines of the form

    grep -v '/usr/share/texmf/fonts' | \
    grep -v '/var/tmp/portage/.*/work/' | \
    grep -v '/tmp/\.ICE-unix' | \

and so on, with all the files that are legitimately world-writeable.
Same goes for /etc/cron-files/known-suids and
/etc/cron-files/known-gids.

 > Lets compare the SUID files I gathered with the list you provided.
 > Maybe some packages are not installed on your system but are on mine.
 > 
 >    /usr/bin/fliccd, /usr/bin/sperl5.8.3, /usr/bin/rcp, /usr/bin/at,
 >    /usr/bin/rlogin, /usr/bin/suidperl, /usr/bin/rsh, /usr/bin/su,
 >    /usr/bin/tvtime, /usr/libexec/pt_chown, /usr/libexec/openssh/ssh-keysign,
 >    /usr/bin/kpac_dhcp_helper, /usr/sbin/suexec, /usr/sbin/usernetctl,
 >    /usr/sbin/kppp, /usr/sbin/userhelper, /usr/lib/news/bin/startinnfeed,
 >    /usr/lib/news/bin/inndstart, /usr/lib/mol/0.9.71/bin/mol,/bin/ping6,
 >    /sbin/pwdb_chkpwd, /sbin/unix_chkpwd.

Those look legitimate at a first sight, though some of them I don't
know about (such as fliccd).  There is an rpm switch that checks the
integrity of a given package, this is a good thing to try with
packages owning files you don't know about.  It must be that our
collection of packages is different, that goes without saying.

 > - Your su, pt_chown, ssh-keysign, kpac_dhcp_helper, traceroute, are
 > not in the same directory as mine. How comes?

Umm, I am actually using Gen^H^H^H another Linux distribution on the
machine in question.

Stefan

-- 
``There's no use trying, one can't believe impossible things.''
``I daresay you haven't had much practice.  When I was your age, I
always did it for half an hour a day.  Why, sometimes I believed as
many as six impossible things before breakfast.''
    --Lewis Carroll, Through the Looking-Glass

More information about the yellowdog-general mailing list