Stupid move of the night

Matthias Benkmann matthias at winterdrache.de
Mon Nov 11 00:40:30 PST 2002


On Mon, 11 Nov 2002 03:46:18 +0000 (UTC) Jamie Norwood
<mistwolf at mushhaven.net> wrote:
> suggestions on the best way to approach fixing things? I am mostly
> worried about what programs should have the suid bit set, 

Actually, that is the least of your problems. Your system is more secure
the fewer setuid/setgid programs you have. You'll notice that a program
needs additional permissions when you run it and it fails with a
permission denied or something like that.
Things that definitely need fixing are permissions for device nodes in
/dev. You should delete all of /dev and recreate it with MAKEDEV. You'll
also have to recreate /dev/initctl (mkfifo /dev/initctl && chmod u=rw,go=
/dev/initctl). Note that you should do this while booted with
init=/bin/sh, because removing init's control FIFO while init is running
is not a good idea.
Then you have to fix /tmp, /var/tmp,... to make them sticky and
world-writable.
Another problem are things like /etc/shadow and also /etc/login.defs that
need more restrictive permissions.
You say you have ssh. Then there's also /etc/ssh which contains the
private keys that must not be world-readable.
Hmm. The more I think of it I don't believe you will find all files that
need different permissions. You'll either have to live with a sense of
reduced security (and sporadic failures that you'll have to investigate)
or you'll have to rebuild the complete system. Tough luck, but that's the
Unix punishment for careless administration.

MSB

-- 
goto doesn't screw up programs.
Programmers screw up programs.

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list