[ubuntu-hardened] Removing SUID on binaries that don't need it

John Richard Moser nigelenki at comcast.net
Thu Nov 29 02:28:50 GMT 2007

Jeff Schroeder wrote:
> Although unlikely, new classes of attack are occasionally uncovered.

Theoretically, nobody cares.  Here's a good way to start a program:

int main() {
   setuid(uidof(nobody)); // uidof?  wtf?
   // Not root anymore, not able to setuid(0) either
   return 0;

If you can break that, you're attacking the compiler or dynamic linker 
or some library initialization code.  None of such code should rely on 
any user input though.

Problems of course, first off some people initialize before dropping 
caps (please IMMEDIATELY drop caps).  Some library code etc uses 
environment variables.  You just MIGHT have a break somewhere in such 
code or in the compiler or something that happens before _main() and 
uses env vars or command line options.

So yes, point well taken; however, I just want to give anyone a boot to 
the head if they don't drop caps that fast.

> Does anyone else think this is a good idea to investigate removing
> suid root from *some* of these binaries where it doesn't break

Yes.  Do so.

The above blob of text might actually make you realize that you need to 
remove suid root for *all* of the binaries or any remaining flaw will 
affect *all* suid root programs.  Think about it for a minute, you'll 
get it.

> anything? It seems like a win win to me. The only thing different is
> that this would need to be prominently displayed somewhere in the
> server docs and the fscaps tools would need to be packaged + the MIR.

Bring back the Firefox plushy!

More information about the ubuntu-devel mailing list