[SECURITY] Simpleinit root exploit

Donald G. Wilson Jr. wilson at warwick.net
Mon May 27 06:44:46 PDT 2002


Thank you for the wonderful reply.
dw
(and have a great day in return!;-))

jsmaby at virgo.umeche.maine.edu wrote:

>>Thanks for responding. One more question though. Are you saying it can't 
>>be exploited from another machine? (say over the internet) I apologize 
>>for such simpleton questions, but my knowledge of linux security is weak.
>>
>
>Well, first off, anyone with physical access can root your box without
>too much trouble.  The first whole would be typing init=/bin/bash at the
>lilo prompt.  You can password-protect lilo to close that whole.  Next is
>booting off a floppy, and mounting the hard disk from it.  Simply disable
>booting from the floppy in bios, and password-protect bios.  Well, the
>bios password can be reset either via a jumper in the motherboard, or
>removing the cmos battery for a short period of time.  So now you need 
>a case lock.  That's probably as far as it should go (don't need       
>light-activated explosive devices in the case or anything like that).
>
>Now they'll need a software whole to get in.  This can be from
>something that init runs as root, or a program with the setuid
>bit set.  Don't worry about the simpleinit thing as LFS uses
>sysvinit.  Furthermore, xdm (or kdm, gdm, whatever) is probably
>safer to run than having people use startx, as the later requires
>that XFree86 be setuid root.  If you do use ?dm, disable romote
>logins if they're enabled.  You may want to go so far as to
>firewall off any ports that X, gnome, etc. open up (6000 for
>X, and who knows what gnome opens up).  You can see what
>ports are open with:
>root:~# netstat -lnp
>(btw, to whoever wanted to know how to list open filehandles, lsof(8))
>If you want to go the route of firewalling off ports, read the
>iptables documentation (I think there's a howto for it).
>
>Next, kill all posible setuid bits.  This permission bit allows
>the program to run with root priveledges.  So programs like passwd,
>su, and ping, which have to do stuff that only root can do will work.
>Look for such programs with
>root:~# find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;   
>Any programs you don't use can have thier setuid bit removed with
>root:~# chmod 0755 /usr/bin/write
>for instance.  The only ones I have set are su and ping.  You probably
>don't even need ping.  Remember, any program that's only run by root
>(or the init scripts) like mount or XFree86 (if you use xdm) can have
>thier setuid bits removed.  Just because the bit is removed doesn't
>mean the program won't work, i.e. xterm can't write to /var/run/utmp
>if it isn't setuid, but that just means 'who' won't show any logged
>in users.
>
>LFS comes fairly secure (except for too many setuid programs), mostly
>because it doesn't start up any network services.  People who install
>a distro may end up with ftpd, telnetd, httpd, and who knows what
>else running.  If you're security-concious, then the only way is
>to do it yourself.
>
>Happy hacking
>-James Smaby
>

-- 
--
Donald Wilson
http://www.geocities.com/~donius
wilson at warwick.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/lfs-security/attachments/20020527/67d0b7eb/attachment.html>


More information about the lfs-security mailing list