suid files
Some another question I wanted to ask a long time ago: 1. Is there some list of files, that REALLY need suid-bit set ? 2. Is there some list of files, installed from FreeBSD, which HAVE suid-bit set ? Peter Rosa ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suid files
Peter Rosa wrote: Some another question I wanted to ask a long time ago: 1. Is there some list of files, that REALLY need suid-bit set ? 2. Is there some list of files, installed from FreeBSD, which HAVE suid-bit set ? See /var/log/setuid.today for the latter, and maybe /etc/periodic/daily/450.status-security which performs a daily check on setuid files, if that is of interest to you... -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: suid files
Dear Chuck and others, of course, it's no problem to find-out which files ALREADY HAS suid-bit set. I'm asking to know: 1. what files MUST have... 2. what files HAVE FROM INSTALL... 3. what files DO NOT NEED... 4. what files NEVER MAY... ...the suid-bit set. Anyway, thank you and have a nice day. Peter Rosa - Original Message - From: "Chuck Swiger" <[EMAIL PROTECTED]> To: "Peter Rosa" <[EMAIL PROTECTED]> Cc: "freebsd-questions" <[EMAIL PROTECTED]> Sent: Saturday, July 26, 2003 1:54 AM Subject: Re: suid files > Peter Rosa wrote: > > Some another question I wanted to ask a long time ago: > > > > 1. Is there some list of files, that REALLY need suid-bit set ? > > 2. Is there some list of files, installed from FreeBSD, which HAVE suid-bit > > set ? > > See /var/log/setuid.today for the latter, and maybe > /etc/periodic/daily/450.status-security which performs a daily check on setuid > files, if that is of interest to you... > > -- > -Chuck > > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
remove suid files question....
Hi all.i installed a freebsd 6 and i am going to use it as a server with apache, ssh, ftp and other servicesit is going to be of free accessu register in my page your account (free) and i create an account for u in the systemso i am trying to make it secure.which setuid files should i take the setuid bit off??? thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remove suid files question....
On Sat, Dec 23, 2006 at 05:41:29PM -0300, Agus wrote: > Hi all.i installed a freebsd 6 and i am going to use it as a server with > apache, ssh, ftp and other servicesit is going to be of free accessu > register in my page your account (free) and i create an account for u in the > systemso i am trying to make it secure.which setuid files should i > take the setuid bit off??? Sounds interesting. Can i get an account? :) btw: do you care for a real email address? (see below) Giving the users shell access without a chroot environment is a potential danger, possible though. A plain BSD installation has several suid- bits set like for the 'passwd' program, 'su' and other. These can't be used to corrupt the system, so you should be safe. Nevertheless, special care has to be taken for all third party software, e.g. via the ports system. On my box i can't afford giving users shell access, because cpu cycles are a rare resource (OSes can be even freeze with naughty users). And then i have no expirience about enforcing resource limits... Another important point is: You may trust your users, but unauthorized access (someone else logs in) can arise if they do something wrong. Restricting them to cryptgraphically authenticated entrance is a good countermeasure. Armin -- PUBBOX Postmaster + spam-killer. Free email addresses at http://pubbox.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: remove suid files question....
Of course u can get an account..when i get the system connected and upno problemm the web will be www.free-shells.com.ar; i'm still testing localywhen i start testing access with friends and people i know, i'll create an account for u, to test the system thanxs.Happy Holidays 2006/12/23, Armin Arh <[EMAIL PROTECTED]>: On Sat, Dec 23, 2006 at 05:41:29PM -0300, Agus wrote: > Hi all.i installed a freebsd 6 and i am going to use it as a server with > apache, ssh, ftp and other servicesit is going to be of free accessu > register in my page your account (free) and i create an account for u in the > systemso i am trying to make it secure.which setuid files should i > take the setuid bit off??? Sounds interesting. Can i get an account? :) btw: do you care for a real email address? (see below) Giving the users shell access without a chroot environment is a potential danger, possible though. A plain BSD installation has several suid- bits set like for the 'passwd' program, 'su' and other. These can't be used to corrupt the system, so you should be safe. Nevertheless, special care has to be taken for all third party software, e.g. via the ports system. On my box i can't afford giving users shell access, because cpu cycles are a rare resource (OSes can be even freeze with naughty users). And then i have no expirience about enforcing resource limits... Another important point is: You may trust your users, but unauthorized access (someone else logs in) can arise if they do something wrong. Restricting them to cryptgraphically authenticated entrance is a good countermeasure. Armin -- PUBBOX Postmaster + spam-killer. Free email addresses at http://pubbox.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
rsync unable to sync suid files
I am running Release 5.4 with 2 disks and am using rsync to sync between the two. On installing the second disk I used dump/restore to mirror them and am since using rsync for incremental changes. However I have a problem that rsync is unable to copy some files and I suspect it is has something to do with the suid files. Am I missing some switch to rsync ? This is the output # rsync --archive --times --verbose --delete --links --hard-links /usr/ /backup/usr building file list ... done bin/chfn bin/crontab bin/login bin/opieinfo bin/opiepasswd bin/passwd bin/rlogin bin/rsh bin/su lib/libc_r.so.5 lib/libpthread.so.1 lib/libthr.so.1 rsync: rename "/backup/usr/bin/.chfn.n9bmTM" -> "bin/chfn": Operation not permitted (1) rsync: rename "/backup/usr/bin/.crontab.2cRdng" -> "bin/crontab": Operation not permitted (1) bin/chpass bin/chsh bin/ypchfn bin/ypchpass bin/ypchsh rsync: rename "/backup/usr/bin/.login.afaGPu" -> "bin/login": Operation not permitted (1) rsync: rename "/backup/usr/bin/.opieinfo.khGnuB" -> "bin/opieinfo": Operation not permitted (1) rsync: rename "/backup/usr/bin/.opiepasswd.IUIwr4" -> "bin/opiepasswd": Operation not permitted (1) rsync: rename "/backup/usr/bin/.passwd.DZeNlh" -> "bin/passwd": Operation not permitted (1) sbin/sliplogin bin/yppasswd rsync: rename "/backup/usr/bin/.rlogin.NQALJo" -> "bin/rlogin": Operation not permitted (1) rsync: rename "/backup/usr/bin/.rsh.a8Y0ck" -> "bin/rsh": Operation not permitted (1) rsync: rename "/backup/usr/bin/.su.REqmlZ" -> "bin/su": Operation not permitted (1) rsync: rename "/backup/usr/lib/.libc_r.so.5.5qXxhc" -> "lib/libc_r.so.5": Operation not permitted (1) rsync: rename "/backup/usr/lib/.libpthread.so.1.rdy2Z7" -> "lib/libpthread.so.1": Operation not permitted (1) rsync: rename "/backup/usr/lib/.libthr.so.1.hxrWjS" -> "lib/libthr.so.1": Operation not permitted (1) rsync: rename "/backup/usr/sbin/.sliplogin.ILQ9G3" -> "sbin/sliplogin": Operation not permitted (1) Any hints ? Regards, RR ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: rsync unable to sync suid files
Rajarajan Rajamani wrote: I am running Release 5.4 with 2 disks and am using rsync to sync between the two. On installing the second disk I used dump/restore to mirror them and am since using rsync for incremental changes. However I have a problem that rsync is unable to copy some files and I suspect it is has something to do with the suid files. Am I missing some switch to rsync ? This is the output # rsync --archive --times --verbose --delete --links --hard-links /usr/ /backup/usr [...] rsync: rename "/backup/usr/bin/.login.afaGPu" -> "bin/login": Operation not permitted (1) It's a problem with the schg flag (and sunlnk might be similar). See man chflags. It just so happens that suid files have been made schg to stop them being tampered with, but otherwise suid is just a coincidence. % ls -lsaFko /usr/bin/login 18 -r-sr-xr-x 1 root wheel schg 17192 Aug 8 23:06 /usr/bin/login* The only solutions I could think of were 1) fix rsync to be flag aware (hard) 2) implement something based on mtree which parsed your source tree, chflags -R on your dest tree, did the rsync, then ran mtree on the dest tree to fix the flags back. I haven't done either yet :-( so if anyone has a better solution I'd love to know. 2) won't work if you run at higher securelevel since you can't un-schg files (because it's not secure :-)), IIRC. --Alex ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
