find_suid
TRANSCRIPT
-
8/8/2019 find_suid
1/9
Linux.com
Search
Search Search
Log in | Create Account | Submit Story
ArticlesCase studiesFeaturesNewsNewsVacReviews
DocumentationWhat Are Linux HOWTOs?Where Can I Get Linux HOWTOs?HOWTO TranslationsCategorized List of HOWTOsSingle list of HOWTOsSingle list of mini-HOWTOsUnmaintained HOWTOsWriting and Submitting a HOWTOCopyright Information
Distributions
ForumsAbout Us
What is Linux?
Learn about Linux
Download Linux
Get Linux help
Feeds
FeaturesNewsVacForumsNews
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
of 9 08/26/2010 05:17
-
8/8/2019 find_suid
2/9
VideoComments
Special Offers
Get special offers on:
Linux
Application Dev
Programming
Software
Email:
Submit
Feature
Securing a fresh Linux install, part 2
By Mike Peters on April 21, 2004 (8:00:00 AM)
Share Print Comments
In the first article in this series we began looking at ways to secure a newLinux server, starting with locking down services. Next, let's look at securingfiles and monitoring system logs.SUID and SGID files
SUID and SGID files are executables which, when run by a normal user, mayhave access to resources not normally available to the user running theprogram. For example, an SUID program could have the permissions:
-r-sr-xr-x 1 root root 11267 Jan 21 00:28 /usr/sbin/foo
The s in the owner's permission field in place of the usual x indicates that
Linux Dedicated HostingLatest Technology Servers Hosted In Tier IV
datacenter. Learn More!
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
2 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
3/9
/usr/sbin/foo is SUID. If run by a normal user, the executable will run with theprivileges of the owner of the file, in this case root. In this case the programwill have access to the same system resources as root.
Below is an example of an SGID file:
-r-xr-sr-x 1 root foo 11267 Jan 21 00:28 /usr/sbin/foo
Here there is an s in the place of the group's executable bit, meaning the file isSGID and will be executed with the group permissions of the foo group.
SGID and SUID programs may be used by a cracker to gain elevatedpermissions on a system, so you should keep track of such files. You can findSUID and SGID files using find:
# find / -perm -4000 -o -perm -2000 -exec ls -ldb {} \; >> SUID_files.txt
This command finds all SUID or SGID files and lists them in a file calledSUID_files.txt. You can unset SUID or SGID privileges with the command chmod-s /usr/sbin/foo, but be warned, unsetting the SUID or SGID bit on someprograms may mean that they will no longer run. Periodically check for newfiles.
There should be no reason for users to have SUID files in their homedirectories so you should use the nosuid option in /etc/fstab for the partitioncontaining users $HOME directories. For example:
/dev/hda3 /home ext3 defaults,nosuid 1 1
World readable/writable files
Files should be world readable or writable only for very good reasons. Youshould check for such files the way we did above for SGID and SUID files:
# find / \( -perm -a+r -o -perm -a+w \) ! -type l >> world_readwrite.txt
Again, check through the list and remove permissions from files that do notneed to be world readable or writable, and run checks regularly for new worldreadable or writable files.
Files with no owner or group
Ownerless files can be an indication that someone has gained access to yoursystem. You should check regularly using the command # find / -nouser -o -nogroup.If you find any ownerless files, either delete them, or, if you know what theyare and wish to keep them, assign them to an appropriate user and group. For
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
3 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
4/9
example, assign myfile to the user foo and the group bar you would issue thecommand # chown foo.bar myfile
Using umask
The umask command can be used to determine the permissions given to newlycreated files on your system. Addng the line umask 022 to the /etc/profile file tellsthe system that any files created by users should have the permissions 0644,or -rw-r--r--. This means users must explicitly make a file executable by usingchmod in their $HOME directory.
The immutable and append-only bits
With chattr, root can set files to be read-only or append-only. Setting theimmutable bit (making a file read-only) ensures that a file cannot be altered,even by root (of course root can remove the immutable bit and then alter thefile, so it's not watertight). Setting the append-only bit ensures that the
existing contents of a file cannot be changed, only added to. It is a good idea toset the append-only bit on log files: # chattr +a /var/log/messages.
You can set the immutable bit to make it more difficult to replace importantexecutables or change critical configuration files:
# chattr +i /usr/bin/ps
# chattr +i /etc/services
The attributes of files set by chattr can be displayed using the lsattr utility.
System logs
In order to trace any unwanted activity on your computer, you should keepcomplete and accurate logs. On Linux machines, logging is handled by thesyslog daemon, syslogd. Syslogd reads its configuration from the/etc/syslog.conf file. You can set the facilities to be logged, the log priority, andthe files in which to log information here. The default values in mostdistributions do not give you enough information.
A sensible log policy is to log almost everything in /var/log/messages and/var/log/syslog and then to have each individual facility log to its own separate
file, as shown in the example below:
--- Begin Example syslog.conf-----
# Log anything 'info' or higher, but lower than 'warn'.
# Exclude mail. This is logged elsewhere.
*.info;*.!warn;mail.none -/var/log/messages
# Log anything 'warn' or higher.
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
4 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
5/9
# Exclude mail. This is logged elsewhere.
*.warn; -/var/log/syslog
# Debugging information is logged here.
*.=debug -/var/log/debug
# Kernel related logs:
kern.* -/var/log/kernel
# Private authentication message logging:
authpriv.* -/var/log/secure
# Cron related logs:
cron.* -/var/log/cron
# Mail related logs:
mail.* -/var/log/maillog
# Daemon related logs:
daemon.* -/var/log/daemonlog
# User related logs:
user.* -/var/log/userlog
# Mark logs:
mark.* -/var/log/marklog
# Emergency level messages go to all users consoles:
*.emerg *
--- End Example syslog.conf-----
Note the dash before the log files' names. This tells syslogd not to sync after
every log. The disadvantage of this is that log information may be lost in theevent of a system crash. Removing the dash, however, can cause a performanceloss with heavy logging.
If you want to be able to track logs in real time, you can open a log file usingthe command tail -f /var/log/messages. Alternatively you can have a permanent logconsole by adding the line
*.* /dev/tty8
to the end of your syslog.conf file. This displays logs in real time on /dev/tty8.(Be sure that tty8 exists, of course!)
In order to keep accurate logs, ensure that your system clock is accurate at alltimes. You should look to using Network Time Protocol (NTP) to maintain yoursystem clock's accuracy. The easiest way to do this is to regularly run ntpdatesome.time.server from a cron job.
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
5 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
6/9
Finally, although it's not really related to your system logs, make sure youredirect root's mail to your normal user account so you don't miss anyimportant warning mail messages sent to root. You should do this either byplacing the line:
root: [email protected]
in /etc/aliases and running the command newaliases, or, alternatively, create afile named .forward in /root containing the address you want mail to beforwarded to.
In the third and final part of this series we'll look at security considerations forsome important networking tools.
Mike Peters is a freelance consultant and programmer and long-time Linux
user.
Share Print Comments
Related Links
Last 5 articles by this author:
Securing Apache Jul 15, 2004Encrypting partitions using dm-crypt and the 2.6 series kernel Jun 08,2004Chrooting Apache May 27, 2004Securing a fresh Linux install, part 3 Apr 22, 2004Securing a fresh Linux install, part 2 Apr 21, 2004
Sponsored links:
Best deals: Technology
Comments
on Securing a fresh Linux install, part 2
Note: Comments are owned by the poster. We are not responsible for theircontent.
lower back pain
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
6 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
7/9
Posted by: Anonymous Coward on May 30, 2006 01:04 AM[URL=http://nervepainrelief.jeeran.com/painrelief. htm]Nerve pain relief [/URL]
[URL=http://www.back.painreliefnetwork.net/lowbackpain.htm] Low back pain [/URL]
[URL=http://blog.gala.net/uploads/painreliefback/backpainrelief.htm] Back pain relief [/URL]
[URL=http://www.weblog.ro/usercontent/13155/profiles/kneepainrelief.htm] Knee pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Pain-Relief.html] Pain relief [/URL]
[URL=http://www.sitefights.com/community/scifi/painrelief/painreliefpreved.htm] Pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Medication-Pain-Relief.html] Medication pain relief [/URL]
[URL=http://www.info.painreliefnetwork.net/Natural-Pain-Relief.html] Natural pain relief [/URL]
[URL=http://painrelief.fanspace.com/index.htm] Pain relief [/URL]
[URL=http://lowerbackpain.0pi.com/backpain.htm] Back Pain [/URL]
[URL=http://painreliefproduct.guildspace.com] Pain relief [/URL][URL=http://painreliefmedic.friendpages.com] Pain relief [/URL]
#
Corrections?
Posted by: Administrator on April 22, 2004 09:31 AMI have two comments about this article:
(1) World readable files are very common on Linux. It's world writable filesthat should be rare. It is true if you want files private, like your home directory
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
7 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
8/9
for example it should not be world readable -- and there are certain filesin /etc and elsewhere that should not be world readablebut ths is not a blanket statement.
(2) A umask of 022 seems just wrong to me. This is no security at all prettymuch. In fact it contradicts what you said a few paragraphs earlier about notwanting world readable files. If you want security use 007, 027, or 077depending on your needs, how you setup shares, and your group structure.
These are two basic mistakes. It makes me wonder how much the author reallyknows about security. I think your articiles are about an important topic, butplease present the topic with a little more care.
Rob
#
This story has been archived. Comments can no longer be posted.
Linux Unmanaged VPS
Starts at $15/mo; 360MB RAM,
RAID10 20GB Disk, 500-1000GB
Transferwww.tektonic.net
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
8 of 9 08/26/2010 05:17
-
8/8/2019 find_suid
9/9
Copyright 1999-2008 - SourceForge, Inc., All Rights Reserved
About Linux.com - Privacy Statement - Terms of Use - Advertise - Trademark - Ask Linux
Questions - Write for Us - RSS Feed
ThinkGeek - Slashdot - SourceForge.net - freshmeat - Surveys - Jobs
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya
LinuxLIVE for Linux PCs
Suspend-Resume, Sharing,
Mobility and Re-Connect to
Remote X Sessionswww.starnet.com
Linux.com :: Securing a fresh Linux install, part 2 http://www.linux.com/archive/feature/113
9 of 9 08/26/2010 05:17