[ubuntu-hardened] Removing SUID on binaries that don't need it
Jeff Schroeder
jeffschroed at gmail.com
Sun Oct 28 21:24:42 GMT 2007
Serge Hallyn's recent implement-file-system-posix-capabilities.patch
finally got the buyoff from Andrew Morton and is going to be going
into the as of yet unreleased 2.6.24 kernel. However, since Hardy will
very likely be using the 2.6.24 kernel, maybe we can look at what this
specific feature buys us.
Here is a really quick look at some setuid and setgid binaries on an
up to date Gutsy system:
root at omniscience:~# find /{,s}bin /usr/{bin,sbin} -perm 4755 -o -perm 2755
/bin/umount
/bin/ping6
/bin/mount
/bin/check-foreground-console
/bin/ping
/bin/su
/sbin/unix_chkpwd
/usr/bin/fping6
/usr/bin/lppasswd
/usr/bin/traceroute6.iputils
/usr/bin/bsd-write
/usr/bin/screen
/usr/bin/expiry
/usr/bin/ssh-agent
/usr/bin/cdrecord
/usr/bin/chsh
/usr/bin/sudoedit
/usr/bin/gpasswd
/usr/bin/crontab
/usr/bin/arping
/usr/bin/passwd
/usr/bin/wall
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/chage
/usr/bin/fping
/usr/bin/slocate
/usr/bin/xterm
/usr/bin/mtr
/usr/bin/sudo
/usr/sbin/exim4
Although unlikely, new classes of attack are occasionally uncovered.
Look at the most recent finding that dangling null pointers can be
used to exploit code. The best way to protect our users is by the
simple least privilege model. /bin/ping has no reason to be suid root
when you can remove the suid bit and grant it the CAP_NET_RAW
capability. Userspace tools to manipulate these capabilities can be
found at http://www.kaigai.gr.jp/index.php. For those security
conscious, the patch itsself is available here:
http://kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.23/2.6.23-mm1/broken-out/implement-file-posix-capabilities.patch
This might require some work for stupid userspace code that does
something like:
if (EUID != 0)
die_a_miserable_death_and_say_you_only_run_as_root();
This might mean that Ubuntu carries Ubuntu-specific patches to check
For a full list of all available capabilities, this should do:
awk '/^#define/{if ($2 ~ "CAP_") print $2}' /usr/include/linux/capability.h
And then look at the man page capabilities(7) for more information on
what they each are.
Does anyone else think this is a good idea to investigate removing
suid root from *some* of these binaries where it doesn't break
anything? It seems like a win win to me. The only thing different is
that this would need to be prominently displayed somewhere in the
server docs and the fscaps tools would need to be packaged + the MIR.
--
Jeff Schroeder
Don't drink and derive, alcohol and analysis don't mix.
http://www.digitalprognosis.com
More information about the ubuntu-hardened
mailing list