[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Partial Solution to SUID Problems

To: Todd Burroughs <todd@hostopia.com>
Subject: Re: [Full-Disclosure] Partial Solution to SUID Problems
From: Gino Thomas <g.thomas@nux-acid.org>
Date: Thu, 4 Dec 2003 12:38:01 +0100

On Thu, 4 Dec 2003 03:51:42 -0500 (EST)
Todd Burroughs <todd@hostopia.com> wrote:

> Several exploits rely on being able to create suid programs or
> to execute these programs (maybe installed by an old patch, etc.)
> 
> I have an idea to reduce this problem.  Basically, you mount
> everything"nosuid", except for one filesystem.  This filesystem is
> obviously only writeable by root, it gets rid of the linking problem
> discussed last week.
> 
> I make a small partition and mount everything else "nosuid".  I put
> anything that needs suid or sgid on that filesystem and make symlinks
> to where it should be.  This makes is easy to find SUID programs,
> run mount and make sure things are mounted nosuid, then look at your
> "suid partition".

I started to use a method like this some time ago, on my freebsd servers
i just have 'su' left as suid on a separate partition, everything else
mounted nosuid. Since now, i have discovered no problems with my
services, but i would not say i have tested it 100% (so something may
be broken due to this modification, if anyone knows what could, please
drop me a note).

> So, does this make sense?  It seems to make it easier and more
> controlled when you patch or add suid binaries.  I would love to see
> us start to use something like this on *NIX systems.

I asked some ppl the same question, answers vary. On one hand some ppl
trust the suids and claim that messing up with them will open new
problems and that there are also many other ways to get root (kernel, 
libc, daemons,...) on the other hand ppl agreed with me that if i don't 
need uucp, why should it be on my box anyway (and that suid or sgid). 
As said, i disabled all suids except 'su', so a user can't use 
'netstat', 'ping' or even 'man' anymore, but i do not want that on a
bastion host anyway, eh? Mounting whats left on a separate partition
seems to be as logical as doing that for /home, /tmp,...

I would like to see a detailed discussion about this, too. 

kind regards
-gt

-- 
Gino Thomas | mailto: g.thomas@nux-acid.org | http://nux-acid.org
GPG: E6EA9145 | 4578 F871 893E 1FEC 31FC 5B5E 8A46 4CC8 E6EA 9145

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- [Full-Disclosure] new dos attack?
  - From: "Geo." <geoincidents@getinfo.org>
- Re: [Full-Disclosure] Partial Solution to SUID Problems
  - From: Ciro <domino@asgardnet.org>

References:
- [Full-Disclosure] Partial Solution to SUID Problems
  - From: Todd Burroughs <todd@hostopia.com>

Prev by Date: Re: [Full-Disclosure] [Fwd: Bugtraq: Linksys WRT54G Denial of Service Vulnerability]
Next by Date: RE: [Full-Disclosure] RE: Yahoo Instant Messenger YAUTO.DLL buffer overflow
Previous by thread: [Full-Disclosure] Partial Solution to SUID Problems
Next by thread: [Full-Disclosure] new dos attack?
Index(es):
- Date
- Thread