[SECURITY] Simpleinit root exploit

jsmaby at virgo.umeche.maine.edu jsmaby at virgo.umeche.maine.edu
Mon May 27 06:08:51 PDT 2002


> Thanks for responding. One more question though. Are you saying it can't 
> be exploited from another machine? (say over the internet) I apologize 
> for such simpleton questions, but my knowledge of linux security is weak.

Well, first off, anyone with physical access can root your box without
too much trouble.  The first whole would be typing init=/bin/bash at the
lilo prompt.  You can password-protect lilo to close that whole.  Next is
booting off a floppy, and mounting the hard disk from it.  Simply disable
booting from the floppy in bios, and password-protect bios.  Well, the
bios password can be reset either via a jumper in the motherboard, or
removing the cmos battery for a short period of time.  So now you need 
a case lock.  That's probably as far as it should go (don't need       
light-activated explosive devices in the case or anything like that).

Now they'll need a software whole to get in.  This can be from
something that init runs as root, or a program with the setuid
bit set.  Don't worry about the simpleinit thing as LFS uses
sysvinit.  Furthermore, xdm (or kdm, gdm, whatever) is probably
safer to run than having people use startx, as the later requires
that XFree86 be setuid root.  If you do use ?dm, disable romote
logins if they're enabled.  You may want to go so far as to
firewall off any ports that X, gnome, etc. open up (6000 for
X, and who knows what gnome opens up).  You can see what
ports are open with:
root:~# netstat -lnp
(btw, to whoever wanted to know how to list open filehandles, lsof(8))
If you want to go the route of firewalling off ports, read the
iptables documentation (I think there's a howto for it).

Next, kill all posible setuid bits.  This permission bit allows
the program to run with root priveledges.  So programs like passwd,
su, and ping, which have to do stuff that only root can do will work.
Look for such programs with
root:~# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;   
Any programs you don't use can have thier setuid bit removed with
root:~# chmod 0755 /usr/bin/write
for instance.  The only ones I have set are su and ping.  You probably
don't even need ping.  Remember, any program that's only run by root
(or the init scripts) like mount or XFree86 (if you use xdm) can have
thier setuid bits removed.  Just because the bit is removed doesn't
mean the program won't work, i.e. xterm can't write to /var/run/utmp
if it isn't setuid, but that just means 'who' won't show any logged
in users.

LFS comes fairly secure (except for too many setuid programs), mostly
because it doesn't start up any network services.  People who install
a distro may end up with ftpd, telnetd, httpd, and who knows what
else running.  If you're security-concious, then the only way is
to do it yourself.

Happy hacking
-James Smaby
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list