next up previous
Next: Filesystem Security Up: Configuration and Security Previous: Firewall Configuration

Removing SUID and SGID flags off binaries
After installation, you may find that you do not want to have so many set user ID or set group ID binaries lying around on the system. SUID and SGID binaries pose a risk of exploitation due to them running as user 'root' or as group 'root' (or some other group or user). If you have a single-user system and no accounts will be made other than yourself, then you shouldn't worry too much about local security. But it is always a good idea to know what these are and how to get rid of them (and which ones you can get rid of without killing the system) in the process.

A good place to start would be to find what SUID and SGID files you have. This can be done in a number of ways, but I use two find commands and redirect the output to files like so:

find / -perm -4000 -print > ~/SUIDS
find / -perm -2000 -print > ~/SGIDS

This will give you two files with Set User ID and Set Group ID files listed within. Now you may want to take these Set ID bits off these files, the ones I take off are as follows: (keep in mind this is for a system that runs no servers, and that there is probably some functionality I may have broken here but never use)

Set Group IDs to remove

chmod -R g-s /var/mailman/
chmod g-s /var/spool/slrnpull/out.going
chmod g-s /var/ftp/pub
chmod g-s /usr/bin/{wall,write,kdesud,slrnpull,cu,uuname}
chmod g-s /usr/sbin/{utempter,uucico,uuxqt}
chmod g-s /sbin/netreport

Set User ID's to remove (be careful!)

chmod u-s /usr/bin/{suidperl,sperl5.6.1,chage,gpasswd,at,kon}
chmod u-s /usr/bin/{newvc,chfn,chsh,newgrp,crontab,lppasswd}
chmod u-s /usr/bin/{kcheckpass,ssh,rcp,rlogin,rsh,inndstart}
chmod u-s /usr/bin/{rnews,startinnfeed,sudo,nwsfind,uucp,cu}
chmod u-s /usr/bin/{uuname,uustat,uux}
chmod u-s /usr/lib/mc/bin/cons.saver
chmod -R u-s /usr/lib/amanda/
chmod u-s /usr/sbin/{ping6,traceroute6,sendmail.sendmail,usernetctl}
chmod u-s /usr/sbin/{userhelper,traceroute,suexec,amcheck,uucico,uuxqt}
chmod u-s /bin/ping
chmod u-s /sbin/{pwdb_chkpwd,unix_chkpwd,cardctl}


next up previous
Next: Filesystem Security Up: Configuration and Security Previous: Firewall Configuration
Eric Thern
2002-08-27