-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> does anybody know's which kind of another files should be taken the +s
> option to block this bug ?

Uh, all of them? Unless you explicitly need the functionality of a
particular setuid binary, you should remove the setuid bit.

For example, on most of my machines I run something like:

SETUIDOK='/usr/bin/su|/usr/local/bin/sudo|/usr/bin/passwd'
FILENAME=/root/desetuid-`date +%s`-$$-`hostname`
find / -fstype nfs -prune -o -perm -4000 -user 0 -type f | egrep \
        -v \($SETUIDOK\) \ > $FILENAME
ls -lo `cat $FILENAME` > ${FILENAME}.listing
find `cat $FILENAME` -flags chflags > ${FILENAME}.schg
chflags noschg `cat ${FILENAME}.schg`
chmod u-s `cat $FILENAME`
chflags schg `cat ${FILENAME}.schg`

to remove all setuid root bits except for the ones in SETUIDOK (passwd,
su, sudo).

Note, there was a previous thread on creating make variables to control
whether or not each setuid binary would be installed setuid. I haven't
done any work on a patch, yet, but such a system would allow you a cleaner
way of deciding which binaries should be setuid when you do a make world.

 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet. Here's what I worry about. I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
        -- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8xLfrswXMWWtptckRAtgOAKCeKvAVuiSOuIfwpJj0YaUZK7Nr3QCfShgg
vDWgBTH9H7Uq832IP0+a9XU=
=pFBi
-----END PGP SIGNATURE-----

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]