[ubuntu-hardened] Removing SUID on binaries that don't need it
John Richard Moser
nigelenki at comcast.net
Thu Nov 29 02:28:50 GMT 2007
Jeff Schroeder wrote:
> Although unlikely, new classes of attack are occasionally uncovered.
Theoretically, nobody cares. Here's a good way to start a program:
int main() {
drop_unneeded_caps();
setuid(uidof(nobody)); // uidof? wtf?
// Not root anymore, not able to setuid(0) either
...
return 0;
}
If you can break that, you're attacking the compiler or dynamic linker
or some library initialization code. None of such code should rely on
any user input though.
Problems of course, first off some people initialize before dropping
caps (please IMMEDIATELY drop caps). Some library code etc uses
environment variables. You just MIGHT have a break somewhere in such
code or in the compiler or something that happens before _main() and
uses env vars or command line options.
So yes, point well taken; however, I just want to give anyone a boot to
the head if they don't drop caps that fast.
>
> Does anyone else think this is a good idea to investigate removing
> suid root from *some* of these binaries where it doesn't break
Yes. Do so.
The above blob of text might actually make you realize that you need to
remove suid root for *all* of the binaries or any remaining flaw will
affect *all* suid root programs. Think about it for a minute, you'll
get it.
> anything? It seems like a win win to me. The only thing different is
> that this would need to be prominently displayed somewhere in the
> server docs and the fscaps tools would need to be packaged + the MIR.
>
--
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367
More information about the ubuntu-devel
mailing list