[ubuntu-hardened] Removing suid root from binaries where it isn't needed

Jeff Schroeder jeffschroed at gmail.com
Wed Oct 31 23:07:46 GMT 2007

On 10/31/07, Kees Cook <kees at ubuntu.com> wrote:
> Perfect, good start.  One note about the derooting checks: we need to
> examine how the application behaves after it starts.  For example, ping
> is derooted already (it drops privs after getting the SOCK_RAW
> connection):
> Since there is work needed to investigate each source package, this is
> why keeping a list of the investigation work in the wiki will be
> helpful.
So I've done a quick peek at the code on every suid root binary on
this Gutsy laptop sans a few that should be setuid root such as sudo
and the shadow passwd utils. It was a lot better than expected IRT
dropping privilege after it is needed or not. We can still patch a lot
of those to check for the capability for things like ping instead of
still requiring root, but it is still in good shape.


What can be added to this? Also, is there any clean way to trawl the
full Ubuntu archive for packages that install setuid root
applications? Installing all 23132 packages just to check seems like a
bad idea and serious pain automated or otherwise.

Jeff Schroeder

Don't drink and derive, alcohol and analysis don't mix.

More information about the ubuntu-hardened mailing list