setuid and setgid security issues -is system compromized?

Mon Jan 31 17:34:38 MST 2005

On Mon, 31 Jan 2005 14:27:18 -0500
Stefan Bruda <bruda at cs.ubishops.ca> wrote:

> At 20:18 -0500 on 2005-1-30 Andrew wrote:
>  >
>  > I'v been reading cert.org site and found quite a few setuids files
>  > using this command, as suggested on the site.
>  >         find / -user root -perm -4000 -print
>  > 
>  > I have the full results both on disk and paper. Many of them
>  > contain 'passwd', 'login' and 'share' in the name.
> 
> It is not necessarily a security issue.  Many executables are
> legitimately SUID og SGID.  On my system for instance, the following
> files are legitimately SUID:
> 
>     /usr/X11R6/bin/root-tail, /bin/passwd, /etc/pam.d/cron,
>     /var/run/jack, /usr/lib/misc/pt_chown, /usr/lib/misc/ssh-keysign,
>     /usr/bin/nwsfind, /usr/bin/ncpmount, /usr/bin/ncpumount,
>     /usr/bin/ncplogin, /usr/bin/ncpmap, /usr/sbin/utempter,
>     /usr/sbin/suexec2, /usr/sbin/traceroute, /usr/X11R6/bin/XFree86,
>     /usr/X11R6/bin/Xorg, /usr/bin/chage, /usr/bin/chfn, /usr/bin/chsh,
>     /usr/bin/expiry, /usr/bin/gpasswd, /usr/bin/newgrp,
>     /usr/bin/passwd, /usr/bin/tracepath, /usr/bin/crontab,
>     /usr/bin/lppasswd, /usr/bin/xscreensaver, /usr/bin/procmail,
>     /usr/bin/gpg, /usr/bin/sudo, /usr/libexec/lockspool,
>     /usr/kde/3.3/bin/artswrapper, /usr/kde/3.3/bin/kgrantpty,
>     /usr/kde/3.3/bin/fileshareset, /usr/kde/3.3/bin/kpac_dhcp_helper,
>     /usr/kde/3.3/bin/kcheckpass, /sbin/pam_timestamp_check,
>     /sbin/unix_chkpwd, /bin/su, /bin/mount, /bin/umount, /bin/ping'
> 
> And these are SGID legitimate files.
> 
>     /usr/sbin/sendmail, /usr/bin/man, /usr/bin/write,
>     /usr/bin/slocate, /usr/bin/dotlockfile, /usr/bin/gnomine,
>     /usr/bin/same-gnome, /usr/bin/mahjongg, /usr/bin/gtali,
>     /usr/bin/gnome-stones, /usr/bin/gnotravex, /usr/bin/gnotski,
>     /usr/bin/glines, /usr/bin/gnobots2, /usr/bin/gnibbles,
>     /usr/bin/gnometris, /usr/bin/lockfile,
>     /usr/libexec/gnome-pty-helper, /usr/kde/3.3/bin/kdesud
> 
> I have a small cron job that looks for suspicious set-uid files
> regularly (excluding the above), which I actually recommend as a small
> improvement in the overall security of the system.
> 
>  > I also noticed several weird .hidden files in /tmp directory most
>  > of them starting with ssh-. I promptly deleted them all and they're
>  > comming back!  :-?
> 
> The ssh- prefixed temporary files come from ssh-agent, see `man
> sssh-agent.'  I am guessing that you launch the agent at the beginning
> of a shell session of something, and this creates those files
> (directories actually).
> 
> In terms of security, you may want to stay tuned to the security
> advisories, and even so install (and use) a good firewall (hand made
> is best in my opinion), a decent log watcher, tripwire
> (http://www.tripwire.org/) and chkrootkit (http://www.chkrootkit.org/)
> at the minimum.  Portsentry and its brethren
> (http://sourceforge.net/projects/sentrytools/) are also very useful
> tools.  Finally, the book `Real World Linux Security'
> (http://www.realworldlinuxsecurity.com/) makes for an interesting
> reading on the matter.
> 
> Stefan

Thanks. Now these are relevant infos! I'd like to know more about the cron job.

Lets compare the SUID files I gathered with the list you provided.
Maybe some packages are not installed on your system but are on mine.

   /usr/bin/fliccd, /usr/bin/sperl5.8.3, /usr/bin/rcp, /usr/bin/at,
   /usr/bin/rlogin, /usr/bin/suidperl, /usr/bin/rsh, /usr/bin/su,
   /usr/bin/tvtime, /usr/libexec/pt_chown, /usr/libexec/openssh/ssh-keysign,
   /usr/bin/kpac_dhcp_helper, /usr/sbin/suexec, /usr/sbin/usernetctl,
   /usr/sbin/kppp, /usr/sbin/userhelper, /usr/lib/news/bin/startinnfeed,
   /usr/lib/news/bin/inndstart, /usr/lib/mol/0.9.71/bin/mol,/bin/ping6,
   /sbin/pwdb_chkpwd, /sbin/unix_chkpwd.

Observations:
- Your su, pt_chown, ssh-keysign, kpac_dhcp_helper, traceroute, are not in the same directory as mine. How comes?