setuid and setgid security issues -is system compromized?
Andrew
virgule88 at videotron.ca
Mon Jan 31 17:34:38 MST 2005
On Mon, 31 Jan 2005 14:27:18 -0500
Stefan Bruda <bruda at cs.ubishops.ca> wrote:
> At 20:18 -0500 on 2005-1-30 Andrew wrote:
> >
> > I'v been reading cert.org site and found quite a few setuids files
> > using this command, as suggested on the site.
> > find / -user root -perm -4000 -print
> >
> > I have the full results both on disk and paper. Many of them
> > contain 'passwd', 'login' and 'share' in the name.
>
> It is not necessarily a security issue. Many executables are
> legitimately SUID og SGID. On my system for instance, the following
> files are legitimately SUID:
>
> /usr/X11R6/bin/root-tail, /bin/passwd, /etc/pam.d/cron,
> /var/run/jack, /usr/lib/misc/pt_chown, /usr/lib/misc/ssh-keysign,
> /usr/bin/nwsfind, /usr/bin/ncpmount, /usr/bin/ncpumount,
> /usr/bin/ncplogin, /usr/bin/ncpmap, /usr/sbin/utempter,
> /usr/sbin/suexec2, /usr/sbin/traceroute, /usr/X11R6/bin/XFree86,
> /usr/X11R6/bin/Xorg, /usr/bin/chage, /usr/bin/chfn, /usr/bin/chsh,
> /usr/bin/expiry, /usr/bin/gpasswd, /usr/bin/newgrp,
> /usr/bin/passwd, /usr/bin/tracepath, /usr/bin/crontab,
> /usr/bin/lppasswd, /usr/bin/xscreensaver, /usr/bin/procmail,
> /usr/bin/gpg, /usr/bin/sudo, /usr/libexec/lockspool,
> /usr/kde/3.3/bin/artswrapper, /usr/kde/3.3/bin/kgrantpty,
> /usr/kde/3.3/bin/fileshareset, /usr/kde/3.3/bin/kpac_dhcp_helper,
> /usr/kde/3.3/bin/kcheckpass, /sbin/pam_timestamp_check,
> /sbin/unix_chkpwd, /bin/su, /bin/mount, /bin/umount, /bin/ping'
>
> And these are SGID legitimate files.
>
> /usr/sbin/sendmail, /usr/bin/man, /usr/bin/write,
> /usr/bin/slocate, /usr/bin/dotlockfile, /usr/bin/gnomine,
> /usr/bin/same-gnome, /usr/bin/mahjongg, /usr/bin/gtali,
> /usr/bin/gnome-stones, /usr/bin/gnotravex, /usr/bin/gnotski,
> /usr/bin/glines, /usr/bin/gnobots2, /usr/bin/gnibbles,
> /usr/bin/gnometris, /usr/bin/lockfile,
> /usr/libexec/gnome-pty-helper, /usr/kde/3.3/bin/kdesud
>
> I have a small cron job that looks for suspicious set-uid files
> regularly (excluding the above), which I actually recommend as a small
> improvement in the overall security of the system.
>
> > I also noticed several weird .hidden files in /tmp directory most
> > of them starting with ssh-. I promptly deleted them all and they're
> > comming back! :-?
>
> The ssh- prefixed temporary files come from ssh-agent, see `man
> sssh-agent.' I am guessing that you launch the agent at the beginning
> of a shell session of something, and this creates those files
> (directories actually).
>
> In terms of security, you may want to stay tuned to the security
> advisories, and even so install (and use) a good firewall (hand made
> is best in my opinion), a decent log watcher, tripwire
> (http://www.tripwire.org/) and chkrootkit (http://www.chkrootkit.org/)
> at the minimum. Portsentry and its brethren
> (http://sourceforge.net/projects/sentrytools/) are also very useful
> tools. Finally, the book `Real World Linux Security'
> (http://www.realworldlinuxsecurity.com/) makes for an interesting
> reading on the matter.
>
> Stefan
Thanks. Now these are relevant infos! I'd like to know more about the cron job.
Lets compare the SUID files I gathered with the list you provided.
Maybe some packages are not installed on your system but are on mine.
/usr/bin/fliccd, /usr/bin/sperl5.8.3, /usr/bin/rcp, /usr/bin/at,
/usr/bin/rlogin, /usr/bin/suidperl, /usr/bin/rsh, /usr/bin/su,
/usr/bin/tvtime, /usr/libexec/pt_chown, /usr/libexec/openssh/ssh-keysign,
/usr/bin/kpac_dhcp_helper, /usr/sbin/suexec, /usr/sbin/usernetctl,
/usr/sbin/kppp, /usr/sbin/userhelper, /usr/lib/news/bin/startinnfeed,
/usr/lib/news/bin/inndstart, /usr/lib/mol/0.9.71/bin/mol,/bin/ping6,
/sbin/pwdb_chkpwd, /sbin/unix_chkpwd.
Observations:
- Your su, pt_chown, ssh-keysign, kpac_dhcp_helper, traceroute, are not in the same directory as mine. How comes?
More information about the yellowdog-general
mailing list