then you have to trust your security admin
... and now guess who that might be. ;-)
But that's not all of the problem. You don't just have to trust root that he is not malicious. You also have to trust root that he is not lazy, uninformed or simply stupid: Imagine a secuity bug in a completely unrelated program running setuid root or a service started as root. A trustworthy root should install the relevant security update; and he should disable that program or service or at least apply a workaround while no update is available. And root should not give out permissions to any user like candy. Imagine a root doing chmod 4755 exe && chown 0:0 exe for any program a student or intern or manager demands that for. Imagine a root allowing anyone to load a new kernel module.
Update: There are usually more setuid/setgid programs than you might expect. Just for fun, I ran this little script:
#!/usr/bin/perl
use v5.12;
use warnings;
use autodie qw( :all );
my %seen;
my @path=grep { !$seen{$_}++ } split /:/,$ENV{'PATH'};
for my $dirname (@path) {
opendir(my $dir,$dirname);
while (readdir $dir) {
next if -l "$dirname/$_";
next unless -f -x _;
(undef,undef,my $mode)=stat _;
unless (defined $mode) {
warn "Can't stat $dirname/$_: $!\n";
next;
}
($mode & 06000) or next;
printf("%04o %s\n",($mode & 07777),"$dirname/$_");
}
closedir $dir;
}
It found 36 binaries in $ENV{'PATH'} running setuid or setgid on my home server:
4511 /sbin/mount.nfs
4711 /usr/bin/newuidmap
4755 /usr/bin/pkexec
4711 /usr/bin/newgidmap
4711 /usr/bin/newgrp
2755 /usr/bin/write
2755 /usr/bin/wall
4711 /usr/bin/traceroute6
4755 /usr/bin/cgexec
4711 /usr/bin/crontab
4711 /usr/bin/expiry
4711 /usr/bin/gpasswd
2755 /usr/bin/slocate
2751 /usr/bin/xlock
4750 /usr/bin/fdmount
4711 /usr/bin/chfn
4711 /usr/bin/passwd
4711 /usr/bin/sudo
2755 /usr/bin/lockfile
4711 /usr/bin/chage
4711 /usr/bin/chsh
6755 /usr/bin/procmail
4711 /bin/ping6
4755 /bin/umount
4755 /bin/mount
4711 /bin/ping
4755 /bin/fusermount
4711 /bin/su
4511 /opt/VirtualBox/VirtualBox
4511 /opt/VirtualBox/VBoxVolInfo
4511 /opt/VirtualBox/VBoxSDL
4511 /opt/VirtualBox/VBoxNetAdpCtl
4511 /opt/VirtualBox/VBoxHeadless
4511 /opt/VirtualBox/VBoxNetDHCP
4511 /opt/VirtualBox/VBoxNetNAT
4755 /opt/exim/bin/exim-4.72-1
I should ask root a.k.a. myself: Do I need all of these? Do all of these have to run setuid? Are there more, in directories outside $ENV{'PATH'}?
Alexander
--
Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)
|