suid bit files + securing FreeBSD
Peter Jeremy
PeterJeremy at optushome.com.au
Sat Jul 26 16:57:22 PDT 2003
On Sat, Jul 26, 2003 at 07:23:02PM +0200, Peter Rosa wrote:
>Please, has anyone simple answer for:
Unfortunately, there isn't one.
>I'm looking for an exact list of files, which:
>1. MUST have...
>2. HAVE FROM BSD INSTALLATION...
>3. DO NOT NEED...
>4. NEVER MAY...
>...the suid-bit set.
You may also want to look through the files that are setgid.
>Of course, it's no problem to find-out which files ALREADY HAS
>suid-bit set.
Agreed.
> But what files REALLY MUST have it ?
There's no simple answer to this. It's a matter of going through each
file with setuid (or setgid) set, understanding why that file has the
set[gu]id bit and whether you need that functionality.
>I know generalities, as e.g. shell should never have suid bit set,
>but what if someone has copied any shell to some other location
>and have set the suid bit ? It's security hole, isn't it ?
Yes. But keep in mind that mind that you have to be user "foo" or
root to make an arbitrary file setuid "foo". If you find that you
have unexpected setuid "foo" files on your machine (where "foo" is not
a shell user account) then your machine has already been compromised.
>Second question is: Has anybody an exact wizard, how to secure
>the FreeBSD machine.
Seal it in an underground concrete bunker with no external access.
Of course, this still isn't perfectly secure but it's probably good
enough for most purposes. :-)
> Imagine the situation, the only person who
>can do anything on that machine is me, and nobody other.
It still depends on what you want to do on the machine and what you
want the machine to be able to do.
> I have removed ALL tty's except
>two local tty's (I need to work on that machine),
Keep in mind that it isn't essential to have a TTY to access a machine.
>still open port 25 and 53 (must be forever), so someone very
>tricky can compromite my machine.
Yes. Does the machine need to be an SMTP/DNS server? Have you
evaluated the various SMTP/DNS daemons for their security? Have you
installed the SMTP/DNS daemon securely?
Peter
More information about the freebsd-security
mailing list