1 |
Hi! |
2 |
|
3 |
I've just checked my system for SUID progs and there a lot of them... |
4 |
Most of them (like ping/mount/chsh/vmware) are really must be suid. |
5 |
But there a number of suid progs which probably don't really need to be suid: |
6 |
|
7 |
-rwsr-x--- 1 root cron 632 æÅ× 13 05:52 /etc/init.d/dcron |
8 |
|
9 |
No comments. :( |
10 |
|
11 |
-rwsr-xr-x 1 root root 804924 æÅ× 13 14:17 /usr/bin/gpg |
12 |
|
13 |
Yeah, I know, gpg WANT to be suid to do something with protecting it's |
14 |
memory, but is this really give any benefits? I mean, it's anyway possible |
15 |
for root to read it's memory from /dev/kmem, and it's anyway impossible to |
16 |
read it's memory from swap-partition for usual user because permissions |
17 |
for any disk partitions are 0600. |
18 |
|
19 |
-rws--x--x 2 root root 1089220 æÅ× 12 18:34 /usr/bin/sperl5.8.2 |
20 |
-rws--x--x 2 root root 1089220 æÅ× 12 18:34 /usr/bin/suidperl |
21 |
|
22 |
AFAIK perl developers suggest not install suidperl because they fail to |
23 |
make it really secure. They suggest installing suidperl ONLY for old |
24 |
systems with scripts already requiring suidperl. |
25 |
|
26 |
-rwsr-xr-x 1 root root 6108 éÀÌ 24 08:52 /usr/kde/3.2/bin/kpac_dhcp_helper |
27 |
|
28 |
I don't know what's this. I'm not surprised by two other suid progs - |
29 |
"pty helpers", one for KDE and one for Gnome, but this one isn't looks |
30 |
really needed to be suid..? |
31 |
|
32 |
-rws--x--x 1 root root 155172 íÁÊ 3 21:16 /usr/lib/misc/ssh-keysign |
33 |
|
34 |
Hmm. Manual pages point me to "HostbasedAuthentication" and |
35 |
"EnableSSHKeysign" options. I think it's used very rarely, so maybe it |
36 |
has sense to make this prog not suid, and add some comment near these |
37 |
options in /etc/ssh/ssh*_config files like: "if you want to use host based |
38 |
authentication then please make /usr/lib/misc/ssh-keysign suid before |
39 |
enabling this option"? |
40 |
|
41 |
-rwsr-xr-x 1 root root 6128 æÅ× 12 17:32 /usr/lib/misc/pt_chown |
42 |
|
43 |
From `man grantpt` : |
44 |
This is part of the Unix98 pty support, see pts(4). Many systems |
45 |
implement this function via a setuid helper binary called "pt_chown". |
46 |
With Linux devpts no such helper binary is required. |
47 |
So, is we really need it? Maybe we need devpts enabled instead? :) |
48 |
|
49 |
-r-sr-xr-x 1 root root 261600 æÅ× 13 15:12 /usr/sbin/pppd |
50 |
|
51 |
I want to write "no comments" again, but then decide to explain. |
52 |
I don't know reason to not execute pppd always by root. If somebody |
53 |
want to execute pppd by usual user - he can make pppd suid manually. |
54 |
|
55 |
|
56 |
|
57 |
So, what do you think about this? |
58 |
|
59 |
-- |
60 |
WBR, Alex. |
61 |
|
62 |
-- |
63 |
gentoo-security@g.o mailing list |