[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

suid situation



here is a little file i've been working on describing the current suid
and sgid situation in openbsd.

the file is not yet entirely finished yet and a few rough spots exist,
as some of the permissions still need to be explained in greater
detail.

but people can see that not only has the suid/sgid list gotten
smaller, but most of these utilities revoke their as many privs as
possible, as early as possible.

in particular, also note the /usr/libexec/auth authenticators are only
executable if you already have some level of elevated permission, and
the ppp*/slip programs require you to be in a network group.  seen
that way, this list is even shorter for most users.

this priv revocation requires that your ptrace (ktrace, procfs,
whatever) has secure semantics, and we have been doing this to
utilities since tholo and i started doing it with kmem utilities about
6 years ago.

i might write up the situation for a few daemons as well.

for instance, in -current the portmap(8) after startup moves itself
into a chroot jail and uses a _portmap uid and gid.  many other
daemons do this as well, including httpd(8).  it is quite a stunning
change in affairs; my current worry hot-spot these days has moved back
to ftpd(8), which really needs a privsep overhaul like vsftpd.

i hope this explains the situation better.


120896  -r-sr-xr-x    1 root     auth        12288 /usr/libexec/auth/login_passwd
120902  -r-sr-xr-x    1 root     auth        12288 /usr/libexec/auth/login_krb4
120903  -r-sr-xr-x    1 root     auth        12288 /usr/libexec/auth/login_krb4-or-pwd
120906  -r-sr-xr-x    1 root     auth        24576 /usr/libexec/auth/login_chpass
120907  -r-sr-xr-x    1 root     auth        16384 /usr/libexec/auth/login_lchpass
120908  -r-sr-xr-x    4 root     auth        16384 /usr/libexec/auth/login_activ
120908  -r-sr-xr-x    4 root     auth        16384 /usr/libexec/auth/login_crypto
120908  -r-sr-xr-x    4 root     auth        16384 /usr/libexec/auth/login_snk
120908  -r-sr-xr-x    4 root     auth        16384 /usr/libexec/auth/login_token
120917  -r-sr-xr-x    1 root     auth        16384 /usr/libexec/auth/login_radius
120918  -r-sr-xr-x    1 root     auth        16384 /usr/libexec/auth/login_krb5
120921  -r-sr-xr-x    1 root     auth        16384 /usr/libexec/auth/login_krb5-or-pwd
	- setuid root
	- constrained inside group "auth" directory, hence, these
	  "authenticators" can only be executed by programs which
	  have permissions to enter the "auth" directory
	- XXX some can/should be modified to revoke permissions

120897  -r-xr-sr-x    1 root     auth        12288 /usr/libexec/auth/login_skey
	- setgid auth
	- constrained inside group "auth" directory, hence, these
	  "authenticators" can only be executed by programs which
	  have permissions to enter the "auth" directory

120938  -r-sr-xr-x    1 root     bin        147456 /usr/libexec/ssh-keysign
	- setuid root for key files
	- opens key files, then revoke uid root

151156  -r-sr-x---    1 root     operator   151552 /sbin/shutdown
	- setuid root to use reboot(2)
	- restricted to group "operator"
	- statically linked

151146  -r-sr-xr-x    1 root     bin        163840 /sbin/ping
151189  -r-sr-xr-x    1 root     bin        180224 /sbin/ping6
234540  -r-sr-xr-x    1 root     bin        155648 /usr/sbin/timedc
234544  -r-sr-xr-x    1 root     bin        155648 /usr/sbin/traceroute
234571  -r-sr-xr-x    1 root     bin        155648 /usr/sbin/traceroute6
	- setuid root for sockraw opening
	- opens sockraw at startup, then revoke uid root
	- statically linked

234499  -r-sr-xr--    1 root     network    372736 /usr/sbin/ppp
234502  -r-sr-xr--    1 root     network    110592 /usr/sbin/pppd
234531  -r-sr-xr--    1 root     network     12288 /usr/sbin/sliplogin
	- setuid root
	- restricted to group "network"

234425  -r-sr-sr-x    1 root     authpf      65536 /usr/sbin/authpf
	- setuid root for /dev/pf
	- XXX setgid authpf for.. ?
	- bails if missing config file
	- opens /dev/pf
	- revoke uid root and gid authpf as soon as possible

159211  -r-sr-xr-x    1 root     bin         20480 /usr/bin/rsh
	- setuid root for reserved port
	- needs rresvport_af(3) (and kerberos does a one too)
	- revokes after that

120876  -r-sr-xr-x    1 root     bin         12288 /usr/libexec/lockspool
	- setuid root to create lock files
	- for spool locking
	- can use a group "mail" for the spool?

159022  -r-sr-xr-x    3 root     bin         24576 /usr/bin/chfn
159022  -r-sr-xr-x    3 root     bin         24576 /usr/bin/chpass
159022  -r-sr-xr-x    3 root     bin         24576 /usr/bin/chsh
	- setuid root to change passwd files and run pwd_mkdb
	- needs to tweak passwd files

159190  -r-sr-xr-x    1 root     bin         32768 /usr/bin/passwd
	- setuid root to change passwd files and run pwd_mkdb
	- needs to tweak passwd files
	- cannot revoke uid

159142  -r-sr-xr-x    1 root     bin         24576 /usr/bin/login
	- setuid root
	- need to create full environment
	- can call su in a special mode?

159250  -r-sr-xr-x    1 root     bin         16384 /usr/bin/su
	- setuid root
	- need to create full environment
	- cannot revoke uid

159265  -r-sr-xr-x    1 root     bin         86016 /usr/bin/sudo
	- setuid root
	- need to create full environment
	- cannot revoke uid

159382  -r-xr-sr-x    1 root     daemon      24576 /usr/bin/lpq
234463  -r-xr-sr-x    1 root     daemon      32768 /usr/sbin/lpc
234464  -r-xr-s---    1 root     daemon      65536 /usr/sbin/lpd
	- setgid daemon

159383   48 -r-sr-sr-x    1 daemon   daemon  24576 /usr/bin/lpr
159384   48 -r-sr-sr-x    1 daemon   daemon  24576 /usr/bin/lprm
	- setuid root
	- setgid daemon
	- XXX millert please explain

158856  -r-xr-sr-x    4 root     crontab     28672 /usr/bin/at
158856  -r-xr-sr-x    4 root     crontab     28672 /usr/bin/atq
158856  -r-xr-sr-x    4 root     crontab     28672 /usr/bin/atrm
158856  -r-xr-sr-x    4 root     crontab     28672 /usr/bin/batch
159033  -r-xr-sr-x    1 root     crontab     28672 /usr/bin/crontab
	- setgid crontab

159352  -r-xr-sr-x    1 root     tty         16384 /usr/bin/wall
	- setgid tty
	- uses egid to open [file]
	- does not revoke gid

159360  -r-xr-sr-x    1 root     tty         12288 /usr/bin/write
	- setgid tty
	- revoke gid after opening device 

159140  -r-xr-sr-x    1 root     auth        12288 /usr/bin/lock
	- setgid auth

159224  -r-xr-sr-x    1 root     auth        12288 /usr/bin/skeyaudit
159225  -r-xr-sr-x    1 root     auth        12288 /usr/bin/skeyinfo
159226  -r-xr-sr-x    1 root     auth        20480 /usr/bin/skeyinit
	- setgid auth
	- should perhaps be another group?

120926  -r-xr-sr-x    1 root     smmsp      552960 /usr/libexec/sendmail/sendmail
	- XXX millert please describe this

159110  -r-xr-sr-x    1 root     kmem        20480 /usr/bin/fstat
159158  -r-xr-sr-x    1 root     kmem        12288 /usr/bin/modstat
159161  -r-xr-sr-x    1 root     kmem       114688 /usr/bin/netstat
159264  -r-xr-sr-x    1 root     kmem        49152 /usr/bin/systat
159350  -r-xr-sr-x    1 root     kmem        28672 /usr/bin/vmstat
234506  -r-xr-sr-x    1 root     kmem        20480 /usr/sbin/pstat
234545  -r-xr-sr-x    1 root     kmem        12288 /usr/sbin/trpt
	- setgid kmem for kvm_openfiles
	- revoke gid kmem as soon as possible

288399  -r-xr-sr-x    1 root     games       45056 /usr/games/atc
288403  -r-xr-sr-x    1 root     games      192512 /usr/games/battlestar
288409  -r-xr-sr-x    1 root     games       28672 /usr/games/canfield
288410  -r-xr-sr-x    1 root     games       12288 /usr/games/cfscores
288411  -r-xr-sr-x    1 root     games       28672 /usr/games/cribbage
288417  -r-xr-sr-x    1 root     games      233472 /usr/games/hack
288421  -r-xr-sr-x    1 root     games      147456 /usr/games/larn
288434  -r-xr-sr-x    1 root     games       20480 /usr/games/robots
288435  -r-xr-sr-x    1 root     games      114688 /usr/games/rogue
288436  -r-xr-sr-x    1 root     games       69632 /usr/games/sail
288438  -r-xr-sr-x    1 root     games       24576 /usr/games/snake
288439  -r-xr-sr-x    1 root     games       24576 /usr/games/tetris
	- setgid games

---

278658  -rwsr-sr-x    1 root     utmp       262144 /usr/X11R6/bin/xterm
	- suid root for pty allocation at startup, then revoke uid root
	- sgid for utmp management, revoke gid utmp when not needed
	- on exit, leaves pty's owned by wrong user (but revoke(2) works in OpenBSD)

/usr/X11R6/bin/XFree86
/usr/X11R6/bin/XF86_*
	- setuid root
	- on some architectures: early open /dev/xf86 & /dev/pci for mappings
	- on some architectures: early open /dev/ttyC4 for virtual console
	- on i386: i386_iopl(2) call
	- for /var/log/XFree86.0.log creation
	- user invocation: revokes root uid after the above setup
	- xdm invocation: must still be solved, using uid _x11 and gid _x11
	- retains elevated device mappings, but is definately safer



Visit your host, monkey.org