UNIX for Dummies Questions & Answers

While I was looking for tips for hardening the security of my MAC OSX I found the following posting:

"<How to disable Setuid and Setgid Binaries >
Setuid programs run with the privileges of the file's owner
(which is often root), no matter which user executes them.
Bugs in these programs can allow privilege escalation attacks.
To find setuid and setgid programs, use the commands:
find / -perm -04000 -ls
find / -perm -02000 -ls

The following files should have their setuid or setgid bits
disabled (using chmod ug-s programname) unless
required for the purpose listed in the second column. The
programs can always have their setuid or setgid bits re-enabled
if necessary for the purpose shown..."

Therefore I disabled the setuid and/or setgid bits of the programs (many) with the command:

chmod ug-s programname.

AND NOW HOW CAN I RE-ENABLE THEM??? :-((
Thank you and greetings

Vera

You followed extremely bad advice -- so poor that I suspect it may have been a malicious joke. At best, whoever gave it was ignorant of how system things like mountpoint managers and login systems need setuid to function.

More importantly -- do you still know which files you did chmod on?

If you don't know, you may need to reinstall, since finding a comprehensive list will be difficult.

To put it back for setuid-root programs: chmod u+s filename
To put it back for setgid programs: chmod g+s filename

Thank you very very much!
It was nor a joke, I read it on the site of the
NSA (National Security Agency). They give a list of the programs to disable and describe what to do... tips to protect MAC OSX, but I suppose they thought that if somebody does what they say, he or she must have a certain knowledge... I don't have it jet, I am still a dummy

Thank you so much for your help you saved my day :-)

Vera

The point is that programs which don't need setuid shouldn't have it -- that would be very dangerous. But there are those things which do. mount for instance needs setuid in a lot of systems. This is okay because it implements its own security.

If someone set cp setuid just to make things more convenient for themselves, that on the other hand would be a nightmare.

You'll have to consider them individually.

Through the command: chmod ug-s programname it is told to 'treat' the following programs MacOS/ARDAgent afpLoad PrinterSharingTool Locum aehelper csregprinter dumpemacs vpnd lppasswd rcp rlogin rsh sadc pppd scselect Disable Setuid and Setgid Binaries Setuid programs run with the privileges of the file's owner (which is often root), no matter which user executes them. Bugs in these programs can allow privilege escalation attacks. To find setuid and setgid programs, use the commands: find / -perm -04000 -ls find / -perm -02000 -ls The following files should have their setuid or setgid bits disabled (using chmod ug-s programname) unless required for the purpose listed in the second column. The programs can always have their setuid or setgid bits re-enabled if necessary for the purpose shown. )

---------- Post updated at 09:29 PM ---------- Previous update was at 09:23 PM ----------

nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

---------- Post updated at 09:39 PM ---------- Previous update was at 09:29 PM ----------

I know nothing but I want to learn everything. The first thing should be to ensure security to the computer. Do u think this is the right way? (I mean disabled setuid or setgid bits) I know that my questions might seem very stupid but I am a total beginner, I didn't feel too much ashamed to write only because this is the section for dummies :-)

I repeat: Blindly disabling all setuid programs is silly. You are guaranteed to break important things that way.

I repeat: If you don't know if/why they need setuid, research them individually.

The link you gave even lists programs which you can disable setuid bits for on many versions of OSX -- and the consequences of doing so. Even those were set setuid for a reason, after all...

Thank you, I have understood and I will not disable them anymore. They are back...