Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Jason E Calvert (calverjBASF-CORP.COM)
Date: Fri Apr 13 2001 - 09:48:48 CDT
Should we start a project? Say a database for different OS's, SUID programs,
why, and md5 sums...
I have a shell script to give md5 sums on suid root programs. We could start a
email alias to send the results to and toss the outliers aside for examination
to get a quick start.
ps Bastille is good at disabling a few suid progies...
Yakov N Miles <ynmilesTELUS.NET> on 04/13/2001 12:17:40 AM
Please respond to Focus on Linux Mailing List <FOCUS-LINUXSECURITYFOCUS.COM>
Subject: Re: Permissions
Matt Block wrote:
> As far as I know, there is no general answer to this question,
> unfortunately. The fact is, any user may have good reasons
> for making some (any) files SUID, SGID, or STICKY. Occasionally,
> the super user may even have good reasons for doing so.
> The trick, in general, is to do it on a case by case basis and
> try to figure out _why_ this particular file or directory
> must be special. For instance, some ftp incoming/ directories
> must be SGID, so that the sweeper can examine their contents.
> If I found the SGID bit set on the public/ directory, however,
> I'd want to remove it. S?ID on CGIs are usually no-no's,
> although they are often set.
> General users rarely but rarely need S?ID or sticky bits.
Andrew Daviel recommends mounting all non-root disks with the option NOSUID
in the FSTAB list. This will stop all kinds of grief when you have various
versions of the operating system mounted on-line at once. Don't forget to
force floppies to mount NOSUID, or you could be in for a trojan attack from
-- Linux - because a PC is a terrible thing to waste. mailto:ynmilestelus.net Note http://www.cheapbytes.com for (almost) free Linux & freeBSD CD-ROMs and http://www.overclockers.com to get the MOST from your computer Website http://yaakov.da.ru