setuid and setgid security issues -is system compromized?

Stefan Bruda bruda at cs.ubishops.ca
Mon Jan 31 12:27:18 MST 2005 

At 20:18 -0500 on 2005-1-30 Andrew wrote:
 >
 > I'v been reading cert.org site and found quite a few setuids files
 > using this command, as suggested on the site.
 >         find / -user root -perm -4000 -print
 > 
 > I have the full results both on disk and paper. Many of them
 > contain 'passwd', 'login' and 'share' in the name.

It is not necessarily a security issue.  Many executables are
legitimately SUID og SGID.  On my system for instance, the following
files are legitimately SUID:

    /usr/X11R6/bin/root-tail, /bin/passwd, /etc/pam.d/cron,
    /var/run/jack, /usr/lib/misc/pt_chown, /usr/lib/misc/ssh-keysign,
    /usr/bin/nwsfind, /usr/bin/ncpmount, /usr/bin/ncpumount,
    /usr/bin/ncplogin, /usr/bin/ncpmap, /usr/sbin/utempter,
    /usr/sbin/suexec2, /usr/sbin/traceroute, /usr/X11R6/bin/XFree86,
    /usr/X11R6/bin/Xorg, /usr/bin/chage, /usr/bin/chfn, /usr/bin/chsh,
    /usr/bin/expiry, /usr/bin/gpasswd, /usr/bin/newgrp,
    /usr/bin/passwd, /usr/bin/tracepath, /usr/bin/crontab,
    /usr/bin/lppasswd, /usr/bin/xscreensaver, /usr/bin/procmail,
    /usr/bin/gpg, /usr/bin/sudo, /usr/libexec/lockspool,
    /usr/kde/3.3/bin/artswrapper, /usr/kde/3.3/bin/kgrantpty,
    /usr/kde/3.3/bin/fileshareset, /usr/kde/3.3/bin/kpac_dhcp_helper,
    /usr/kde/3.3/bin/kcheckpass, /sbin/pam_timestamp_check,
    /sbin/unix_chkpwd, /bin/su, /bin/mount, /bin/umount, /bin/ping'

And these are SGID legitimate files.

    /usr/sbin/sendmail, /usr/bin/man, /usr/bin/write,
    /usr/bin/slocate, /usr/bin/dotlockfile, /usr/bin/gnomine,
    /usr/bin/same-gnome, /usr/bin/mahjongg, /usr/bin/gtali,
    /usr/bin/gnome-stones, /usr/bin/gnotravex, /usr/bin/gnotski,
    /usr/bin/glines, /usr/bin/gnobots2, /usr/bin/gnibbles,
    /usr/bin/gnometris, /usr/bin/lockfile,
    /usr/libexec/gnome-pty-helper, /usr/kde/3.3/bin/kdesud

I have a small cron job that looks for suspicious set-uid files
regularly (excluding the above), which I actually recommend as a small
improvement in the overall security of the system.

 > I also noticed several weird .hidden files in /tmp directory most
 > of them starting with ssh-. I promptly deleted them all and they're
 > comming back!  :-?

The ssh- prefixed temporary files come from ssh-agent, see `man
sssh-agent.'  I am guessing that you launch the agent at the beginning
of a shell session of something, and this creates those files
(directories actually).

In terms of security, you may want to stay tuned to the security
advisories, and even so install (and use) a good firewall (hand made
is best in my opinion), a decent log watcher, tripwire
(http://www.tripwire.org/) and chkrootkit (http://www.chkrootkit.org/)
at the minimum.  Portsentry and its brethren
(http://sourceforge.net/projects/sentrytools/) are also very useful
tools.  Finally, the book `Real World Linux Security'
(http://www.realworldlinuxsecurity.com/) makes for an interesting
reading on the matter.

Stefan

-- 
``There's no use trying, one can't believe impossible things.''
``I daresay you haven't had much practice.  When I was your age, I
always did it for half an hour a day.  Why, sometimes I believed as
many as six impossible things before breakfast.''
    --Lewis Carroll, Through the Looking-Glass

More information about the yellowdog-general mailing list