Re: Setuid and setgid files (2) (?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I prefer:
find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -ld '{}' \;

You will find all SUID/SGID and list the filepermissions as output of the
search so they can be easily altered.

kind regards, maarten
----- Original Message -----
From: "." <cavie@ziplip.com>
To: <security-discuss@linuxsecurity.com>
Sent: Monday, January 14, 2002 9:12 AM
Subject: Setuid and setgid files (2) (?)


Hi.

I thought there is another 'easier' way to get a list of setuid and setgid.
I think I read somewhere in the Internet on how to find files with setuid
and setgid. By using 'find' or 'ls'. Can anyone tell me how ?

> -----Original Message-----
> From: Patrick Duane Dunston [mailto:duane@sukkha.homeip.net]
> Sent: Wednesday, January 09, 2002, 4:06 AM
> To: security-discuss@linuxsecurity.com
> Subject: Re: Setuid and setgid files
>
> Hey,
>
> Remove the suid bit (chmod u-s) the following is true:  (NN--not needed on
> servers, NW--not needed on workstations, YR -- your call.  If no acronym
> then it is required.
>
> /usr/sbin/sendmail -- sending mail
> /usr/X11R6/bin/Xwrapper (NN) - you are using X and normal users will be
> using it as well.
> /usr/bin/crontab (NN)(NW)-- normal users can create cron entries
> /usr/bin/chage (YR)-- normal users can change their password aging
> feature.
> /usr/bin/gpasswd (YR)-- group users can change passwords
> /usr/bin/at (NN, NW) -- you are using this daemon to run scheduled tasks
> /usr/bin/gpg (YR) --  normal users can use encryption
> /usr/bin/suidperl(NN,NW) -- (I'm still not sure the purpose of this
> program)
> /usr/bin/sperl5.6.0 (NN,NW)-- (same as above)
> /usr/bin/passwd -- Required so normal users can change their password.
> /usr/bin/ssh -- required so normal users can initiate ssh connections
> /usr/bin/chfn (NN,NW)  -- users can change their finger information
> /usr/bin/chsh (NN,NW) -- users can change their shell
> /usr/bin/newgrp (NN,NW)-- users can change to a new group.
> /usr/sbin/usernetctl (NN,NW)-- normal users change network interface
> information
> and bring them up or down
> /usr/sbin/traceroute (YR) -- normal users can perform traceroutes
> /usr/sbin/userhelper (YR depends on the above)-- gives users info on how
> to use features like chfn
> or chsh, etc.
> /bin/ping (NN) -- normal users can ping
> /bin/su (YR)-- normal users allowed to su in to root or other user
> accounts
> (provided the password is known)
> /bin/mount (NN)-- users can mount filesystems.
> /bin/umount (NN)-- users can unmount filesystems.
> /sbin/pwdb_chkpwd  -- used to determine if the password typed is a strong
> password and not a dictionary word.
> /sbin/unix_chkpwd
>
> Regardless the ones that are okay are: passwd, unix_chkpwd,
> pwdb_chkpwd, sendmail, ssh, traceroute.  This will depend on your setup
> however.
>
> Crap I am about late for work.  I'll email back about sgids later unless
> someone else email first.  Also, look up libsafe and install that.
>
>
> On Wed, 9 Jan 2002, BUNTER MATTHEW wrote:
>
> > --- Reçu de       RVIDOI.BUNTERMA 04 72 96 57 77    09/01/02 09.37
> >
> > All,
> >
> > Just joined yesterday so apologies if I am asking something that
> > has been covered recently.
> >
> > Trying to add a setuid/setgid section to a Linux security
> > standard. I would like some opinions as to which files can be left
> > with setuid and setgid and which should definitely NOT be left
> > setuid or setgid.
> >
> > I have been having a good crawl around the net for a while and can
> > find various links on how to identify and edit these types of
> > files but not which ones should be altered or left alone. I
> > already have the Solaris recommendations.
> >
> > This will have to cover both server and workstation
> > implementations.
> >
> > Thanks in advance,
> >
> > Matt
> >
> > ---- 09/01/02 09.37 ---- Envoyé à      ---------------------------
> >   -> SECURITY-DISCUSS(a)LINUXSECURITY.COM
> > ------------------------------------------------------------------------
> >      To unsubscribe email security-discuss-request@linuxsecurity.com
> >          with "unsubscribe" in the subject of the message.
> >
>
> --
> duane
>
>
> --
>
> GnuPG Public Key:  http://sukkha.homeip.net/pgp.html
>
> --
>
> Fun reading:  8-)
> http://linuxtoday.com/search.php3?author=Duane:Dunston
>
>
>
> ------------------------------------------------------------------------
>      To unsubscribe email security-discuss-request@linuxsecurity.com
>          with "unsubscribe" in the subject of the message.
>
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.


------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.


[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux