[ubuntu-hardened] Removing SUID on binaries that don't need it
Jeff Schroeder
jeffschroed at gmail.com
Fri Nov 30 00:08:08 GMT 2007
On Nov 29, 2007 3:24 PM, John Richard Moser <nigelenki at comcast.net> wrote:
> - You can if you're root
>
> - Nobody cares, you're root already
>
> - If you're using SELinux, it shouldn't let you ptrace across contexts
>
> - If you can, somebody needs to fix your policy
>
> - You have no caps to drop if you're not root (via SUID or other)
>
> I think that covers about everything. There's a lot of "well this
> situation lets you get away with it" that ends something like "... but
> you own the box already anyway."
The point of this discussion was whether or not we should investigate
removing suid bits from binaries that don't need them, not how to write
better software.
Stripping suid might prevent that 1 case where buggy code or some new
class of exploit comes out (hello dangling pointers!) allows an attacker to
gain root.
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
More information about the ubuntu-hardened
mailing list