Gentoo Archives: gentoo-dev

From: Ned Ludd <solar@g.o>
To: gentoo-dev@g.o
Subject: [gentoo-dev] Towards less insecure permissions on gentoo
Date: Tue, 03 Jun 2003 20:16:15
Message-Id: 1054671011.20032.320.camel@simple
1 Alot of the suid binarys that get installed on a gentoo system seem to
2 have had there default permissions overlooked.
4 Today we will cover group and other readable bits and why I think they
5 should be removed on installed setid ELF's.
7 Alot of the common buffer overflows exploits these days rely on knowing
8 a predefined offsets or relocation addresses. Sometimes these offsets
9 are not known to the exploit itself at compile time and the author often
10 leaves it up to the local attacker to find the offsets using tools such
11 as objdump,readelf,examminer. Now if the local attacker is unable read
12 the binary he/she wont be able to discover these offsets thus making
13 future exploitation harder to exploit on a gentoo system.
15 The "least privilege" rule, strictly applied, can save us from a lot of
16 unexpected trouble.
18 You can use the following command to see what setid files you have and
19 what port they came from. -requires gentoolkit
21 find / \( -perm 04000 -o -perm -02000 \) -type f -ls 2> /dev/null |
22 while read line; do suid=`echo $line | awk '{print $11}'` ; echo $line
23 "[`qpkg -nc -f $suid`]" ; done
25 Over the next week or so I will be looking over the permissions of
26 eveything I use and offering unified diffs/patches when/where feasible.
28 If you currently are a maintainer of a port that installs files 4755(I
29 hope you all know who you are) please try to get your port to install
30 4711 or with even less privs. However if your program is a setid
31 executable script then you should leave the permissions alone.
33 Below is a suggested patch to the current util-linux ebuild.
36 --
37 Ned Ludd <solar@g.o>
38 Gentoo Linux (Hardened)
41 --
42 gentoo-dev@g.o mailing list


Subject Author
Re: [gentoo-dev] Towards less insecure permissions on gentoo Anthony de Boer <gentoo-dev@××××××××××××××.net>