Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Removing setuid option for security.
Top Forums UNIX for Dummies Questions & Answers Removing setuid option for security. Post 302472738 by pinga123 on Thursday 18th of November 2010 01:57:16 AM
Old 11-18-2010
Removing setuid option for security.
According to Security standards given in
https://www.stanford.edu/dept/as/ia/security/policies_standards/AS_standards/RH_linux_prod_sec_std_1.0.1.html


Quote:
Unless otherwise approved the following setuid root binaries are the only ones allowed on production servers:

* /bin/su
* /usr/bin/sudo
* /usr/bin/passwd
Being a production system i want to implement the same on our server.
but when i tried finding other files i got following output.

Code:
# ls -ltr `find / -user root -perm -4000 -print`
find: /proc/10558/task/10558/fd/4: No such file or directory
find: /proc/10558/fd/4: No such file or directory
-rwsr-xr-x 1 root root  43976 Jun  5  2007 /usr/bin/at
-rwsr-xr-x 1 root root   6240 Jun  6  2007 /usr/sbin/ccreds_validate
-rwsr-xr-x 1 root root  22984 Jun  6  2007 /usr/bin/passwd
-rwsr-xr-x 1 root root  40976 Jul 31  2008 /opt/oracle/usr/libexec/libvirt_proxy
-rwsr-x--- 1 root dbus  45148 Oct 31  2008 /lib/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root  31244 Oct 31  2008 /bin/ping6
-rwsr-xr-x 1 root root  35864 Oct 31  2008 /bin/ping
-rwsr-xr-x 1 root root  19184 Nov  1  2008 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root  12248 Nov  1  2008 /sbin/pam_timestamp_check
-rwsr-xr-x 1 root root  24588 Nov  1  2008 /usr/bin/newgrp
-rwsr-xr-x 1 root root  51512 Nov  1  2008 /usr/bin/gpasswd
-rwsr-xr-x 1 root root  46972 Nov  1  2008 /usr/bin/chage
-rws--x--x 1 root root  32780 Nov  1  2008 /usr/sbin/userhelper
-rwsr-sr-x 1 root root 315416 Nov  1  2008 /usr/bin/crontab
-rwsr-xr-x 1 root root 176572 Nov  6  2008 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/mount.nfs4
-rwsr-xr-x 1 root root  70772 Jan 21  2009 /sbin/mount.nfs
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/umount.nfs4
-rwsr-xr-x 1 root root  70776 Jan 21  2009 /sbin/umount.nfs
---s--x--x 2 root root 140712 Jan 22  2009 /usr/bin/sudoedit
---s--x--x 2 root root 140712 Jan 22  2009 /usr/bin/sudo
-rwsr-xr-x 1 root root  38936 Jan 22  2009 /bin/umount
-rwsr-xr-x 1 root root  58324 Jan 22  2009 /bin/mount
-rws--x--x 1 root root  19096 Jan 22  2009 /usr/bin/chsh
-rws--x--x 1 root root  17900 Jan 22  2009 /usr/bin/chfn
-rwsr-xr-x 1 root root  23960 Jan 22  2009 /bin/su
-rwsr-xr-x 1 root root 147631 Apr  8  2009 /usr/kerberos/bin/ksu
-rwsr-xr-x 1 root root   6820 Jun 28  2009 /usr/sbin/usernetctl
-rwsr-xr-x 1 root root  64908 Jul 15  2009 /usr/libexec/libvirt_proxy

Now i m confused over how to remove setuid options on these files? and more important will it impact on rest of the sytem?
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

setuid

I have a C wrapper programme which basically execute a shell script. The shell script has 700 as permission and oracle is owner of the shell script. The C execuatble has 4711 permission so that means that it has setuid bit set and group and others can execute the C executable. The reason why I am... (2 Replies)
Discussion started by: sanjay92
2 Replies

2. UNIX for Dummies Questions & Answers

help removing dashes from social security number

I have a file containing social security numbers with the format ###-##-####. I need to read each record in this file, reformat the SSN to the format #########, and write the record with the reformatted SSN to a new file. I am a UNIX newbie. I think I need to use either the sed or awk commands, but... (2 Replies)
Discussion started by: Marcia P
2 Replies

3. UNIX for Dummies Questions & Answers

setuid

could u plz give me clear idea of spcial permissions setuid,getuid and striky bit . (1 Reply)
Discussion started by: Prem
1 Replies

4. UNIX for Dummies Questions & Answers

No Password - - Setuid Only Option in Solaris 10

In Solaris 9, when I built users, there was an option for No Password -- Setuid Only. Now that I'm using Solaris 10, I no longer can find that option. Is there an equivalent option of No Password --Setuid Only in Solaris 10? Thanks, LeonD (1 Reply)
Discussion started by: leond
1 Replies

5. Shell Programming and Scripting

option followed by : taking next option if argument missing with getopts

Hi all, I am parsing command line options using getopts. The problem is that mandatory argument options following ":" is taking next option as argument if it is not followed by any argument. Below is the script: while getopts :hd:t:s:l:p:f: opt do case "$opt" in -h|-\?)... (2 Replies)
Discussion started by: gurukottur
2 Replies

6. Solaris

Removing ro option from zones

Hey all, I need to remove the ro option from an fs on a zone. Does anyone know how to do this without removing the fs and recreating it? fs: dir: /home/em23/prod special: /export/zones/em23/root/ftp/prod raw not specified type: lofs options: (1 Reply)
Discussion started by: em23
1 Replies

7. Solaris

setuid and guid

Hi All, Can someone give me some info about setuid or guid topic? Also about sticky bit. Thanks in advance, itik (9 Replies)
Discussion started by: itik
9 Replies

8. Shell Programming and Scripting

recently introduced to the newer option for find...does an older option exist?

To find all the files in your home directory that have been edited in some way since the last tar file, use this command: find . -newer backup.tar.gz Is anyone familiar with an older solution? looking to identify files older then 15mins across several directories. thanks, manny (2 Replies)
Discussion started by: mr_manny
2 Replies

9. Solaris

Need help with setuid.

Hi Gurus, I need your suggestions,to implement setuid. Here is the situation. I have a user xyz on a solaris zone.He needs to install a package using a pkgadd command but i guess only a root can run that .Is there any way I can set the setuid bit on the pkgadd which is in the location... (6 Replies)
Discussion started by: rama krishna
6 Replies

10. UNIX for Beginners Questions & Answers

What keeps me from abusing setuid(0) and programs with setuid bit set?

Just learning about the privilege escalation method provided by setuid. Correct me if I am wrong but what it does is change the uid of the current process to whatever uid I set. Right ? So what stops me from writing my own C program and calling setuid(0) within it and gaining root privileges ? ... (2 Replies)
Discussion started by: sreyan32
2 Replies

LEARN ABOUT LINUX

checksecurity

CHECKSECURITY(8)					      System Manager's Manual						  CHECKSECURITY(8)

NAME

       checksecurity - Run a collection of simple system checks

SYNOPSIS

       checksecurity

DESCRIPTION

       The checksecurity command runs a small collection of simple system checks which are designed to catch a few common security issues.  check-
       security is run by cron in a daily basis.

CONFIGURATION

       The checksecurity.conf file defines several configuration variables: MAILTO, CHECK_DISKFREE, CHECK_PASSWD and CHECK_SETUID LOGDIR.  Each is
       described below.

       The  checksecurity program works with a collection of plugins which are located in /usr/share/checksecurity and are configured individually
       by their own configuration file.

       CHECK_PASSWD If this is set to TRUE then the check-passwd script will be invoked.  This script is designed to report upon  system  accounts
       which  have  no passwords.  CHECK_DISKFREE If this is set to TRUE then the check-diskfree script will be invoked and will allow an alert to
       be sent if there is any mounted partition is running short on disk space.  CHECK_SETUID If this is set to TRUE then the check-setuid script
       will be invoked, this will compare the setuid binaries upon the system to those that existed previously and show the differences.

FILES

       /etc/checksecurity.conf
	      checksecurity configuration file

SEE-ALSO
       See also check-diskfree(8), check-setuid(8), and check-passwd(8)

Debian Linux							  2 February 1997						  CHECKSECURITY(8)
All times are GMT -4. The time now is 03:56 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy