Linuxtopia - Securing and Optimizing Linux -
Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

NAME="GENERATOR" CONTENT="Modular DocBook HTML Stylesheet Version 1.60">

5.23. Bits from root-owned programs

A regular user will be able to run a program as root if it is set to SUID root. All programs and files on your computer with the s bits appearing on its mode, have the SUID -rwsr-xr-x or SGID -r-xr-sr-x bit enabled. Because these programs grant special privileges to the user who is executing them, it is important to remove the s bits from root-owned programs that won't absolutely require such privilege. This can be accomplished by executing the command chmod a-s with the name(s) of the SUID/SGID files as its arguments. Such programs include, but aren't limited to:

  • Programs you never use.

  • Programs that you don't want any non-root users to run.

  • Programs you use occasionally, and don't mind having to su to root to run.

We've placed an asterisk * next to each program we personally might disable and consider to be not absolutely required for the working of our server. Remember that your system needs some suid root programs to work properly, so be careful. make your choices based on your requirements. To find all files with the s bits from root-owned programs, use the command:

            [[email protected]]#find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls 'lg {} \;
             


            *-rwsr-xr-x	1 root     root	35168	Sep	22	23:35	/usr/bin/chage
            *-rwsr-xr-x	1 root     root	36756	Sep	22	23:35	/usr/bin/gpasswd
            *-r-xr-sr-x	1 root     tty	6788	Sep 	6	18:17	/usr/bin/wall
            -rwsr-xr-x	1 root     root	33152	Aug	16	16:35	/usr/bin/at
            -rwxr-sr-x	1 root     man	34656	Sep	13	20:26	/usr/bin/man
            -r-s--x--x	1 root     root	22312	Sep	25	11:52	/usr/bin/passwd
            -rws--x--x	2 root     root	518140 	Aug	30	23:12	/usr/bin/suidperl
            -rws--x--x	2 root     root	518140 	Aug	30	23:12	/usr/bin/sperl5.00503
            -rwxr-sr-x	1 root     slocate	24744	Sep	20	10:29	/usr/bin/slocate
            *-rws--x--x	1 root     root	14024	Sep 	9	01:01	/usr/bin/chfn
            *-rws--x--x	1 root     root	13768	Sep	9	01:01	/usr/bin/chsh
            *-rws--x--x	1 root     root	5576	Sep	9	01:01	/usr/bin/newgrp
            *-rwxr-sr-x	1 root     tty	8328	Sep	9	01:01	/usr/bin/write
            -rwsr-xr-x	1 root     root	21816	Sep	10	16:03	/usr/bin/crontab
            *-rwsr-xr-x	1 root     root	5896	Nov	23	21:59	/usr/sbin/usernetctl
            *-rwsr-xr-x	1 root     bin	16488	Jul	2	10:21	/usr/sbin/traceroute
            -rwxr-sr-x	1 root     utmp	6096	Sep	13	20:11	/usr/sbin/utempter
            -rwsr-xr-x	1 root     root	14124	Aug	17	22:31	/bin/su
            *-rwsr-xr-x	1 root     root	53620	Sep	13	20:26	/bin/mount
            *-rwsr-xr-x	1 root     root	26700	Sep	13	20:26	/bin/umount
            *-rwsr-xr-x	1 root     root	18228	Sep	10	16:04	/bin/ping
            *-rwxr-sr-x	1 root     root	3860	Nov	23	21:59	/sbin/netreport
            -r-sr-xr-x	1 root     root	26309	Oct	11	20:48	/sbin/pwdb_chkpwd
            

To disable the suid bits on selected programs above, type the following commands:

            [[email protected]] /# chmod a-s /usr/bin/chage
            [[email protected]] /# chmod a-s /usr/bin/gpasswd
            [[email protected]] /# chmod a-s /usr/bin/wall
            [[email protected]] /# chmod a-s /usr/bin/chfn
            [[email protected]] /# chmod a-s /usr/bin/chsh
            [[email protected]] /# chmod a-s /usr/bin/newgrp
            [[email protected]] /# chmod a-s /usr/bin/write
            [[email protected]] /# chmod a-s /usr/sbin/usernetctl
            [[email protected]] /# chmod a-s /usr/sbin/traceroute
            [[email protected]] /# chmod a-s /bin/mount
            [[email protected]] /# chmod a-s /bin/umount
            [[email protected]] /# chmod a-s /bin/ping
            [[email protected]] /# chmod a-s /sbin/netreport

Example 5-4. Use man pages

If you want to know what those programs do, type man program-name and read the man page.
          
            [[email protected]] /# man netreport
            

 
 
  Published under the terms of the Open Publication License Design by Interspire