| 1 |
Alot of the suid binarys that get installed on a gentoo system seem to |
| 2 |
have had there default permissions overlooked. |
| 3 |
|
| 4 |
Today we will cover group and other readable bits and why I think they |
| 5 |
should be removed on installed setid ELF's. |
| 6 |
|
| 7 |
Alot of the common buffer overflows exploits these days rely on knowing |
| 8 |
a predefined offsets or relocation addresses. Sometimes these offsets |
| 9 |
are not known to the exploit itself at compile time and the author often |
| 10 |
leaves it up to the local attacker to find the offsets using tools such |
| 11 |
as objdump,readelf,examminer. Now if the local attacker is unable read |
| 12 |
the binary he/she wont be able to discover these offsets thus making |
| 13 |
future exploitation harder to exploit on a gentoo system. |
| 14 |
|
| 15 |
The "least privilege" rule, strictly applied, can save us from a lot of |
| 16 |
unexpected trouble. |
| 17 |
|
| 18 |
You can use the following command to see what setid files you have and |
| 19 |
what port they came from. -requires gentoolkit |
| 20 |
|
| 21 |
find / \( -perm 04000 -o -perm -02000 \) -type f -ls 2> /dev/null | |
| 22 |
while read line; do suid=`echo $line | awk '{print $11}'` ; echo $line |
| 23 |
"[`qpkg -nc -f $suid`]" ; done |
| 24 |
|
| 25 |
Over the next week or so I will be looking over the permissions of |
| 26 |
eveything I use and offering unified diffs/patches when/where feasible. |
| 27 |
|
| 28 |
If you currently are a maintainer of a port that installs files 4755(I |
| 29 |
hope you all know who you are) please try to get your port to install |
| 30 |
4711 or with even less privs. However if your program is a setid |
| 31 |
executable script then you should leave the permissions alone. |
| 32 |
|
| 33 |
Below is a suggested patch to the current util-linux ebuild. |
| 34 |
|
| 35 |
http://cvs.gentoo.org/~solar/util-linux-2.11z-r4.ebuild.diff |
| 36 |
-- |
| 37 |
Ned Ludd <solar@g.o> |
| 38 |
Gentoo Linux (Hardened) |
| 39 |
|
| 40 |
|
| 41 |
-- |
| 42 |
gentoo-dev@g.o mailing list |
Archives