1 |
Alot of the suid binarys that get installed on a gentoo system seem to |
2 |
have had there default permissions overlooked. |
3 |
|
4 |
Today we will cover group and other readable bits and why I think they |
5 |
should be removed on installed setid ELF's. |
6 |
|
7 |
Alot of the common buffer overflows exploits these days rely on knowing |
8 |
a predefined offsets or relocation addresses. Sometimes these offsets |
9 |
are not known to the exploit itself at compile time and the author often |
10 |
leaves it up to the local attacker to find the offsets using tools such |
11 |
as objdump,readelf,examminer. Now if the local attacker is unable read |
12 |
the binary he/she wont be able to discover these offsets thus making |
13 |
future exploitation harder to exploit on a gentoo system. |
14 |
|
15 |
The "least privilege" rule, strictly applied, can save us from a lot of |
16 |
unexpected trouble. |
17 |
|
18 |
You can use the following command to see what setid files you have and |
19 |
what port they came from. -requires gentoolkit |
20 |
|
21 |
find / \( -perm 04000 -o -perm -02000 \) -type f -ls 2> /dev/null | |
22 |
while read line; do suid=`echo $line | awk '{print $11}'` ; echo $line |
23 |
"[`qpkg -nc -f $suid`]" ; done |
24 |
|
25 |
Over the next week or so I will be looking over the permissions of |
26 |
eveything I use and offering unified diffs/patches when/where feasible. |
27 |
|
28 |
If you currently are a maintainer of a port that installs files 4755(I |
29 |
hope you all know who you are) please try to get your port to install |
30 |
4711 or with even less privs. However if your program is a setid |
31 |
executable script then you should leave the permissions alone. |
32 |
|
33 |
Below is a suggested patch to the current util-linux ebuild. |
34 |
|
35 |
http://cvs.gentoo.org/~solar/util-linux-2.11z-r4.ebuild.diff |
36 |
-- |
37 |
Ned Ludd <solar@g.o> |
38 |
Gentoo Linux (Hardened) |
39 |
|
40 |
|
41 |
-- |
42 |
gentoo-dev@g.o mailing list |