[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
suid situation
- To: misc_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org
- Subject: suid situation
- From: Theo de Raadt <deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
- Date: Wed, 04 Sep 2002 10:52:55 -0600
here is a little file i've been working on describing the current suid
and sgid situation in openbsd.
the file is not yet entirely finished yet and a few rough spots exist,
as some of the permissions still need to be explained in greater
detail.
but people can see that not only has the suid/sgid list gotten
smaller, but most of these utilities revoke their as many privs as
possible, as early as possible.
in particular, also note the /usr/libexec/auth authenticators are only
executable if you already have some level of elevated permission, and
the ppp*/slip programs require you to be in a network group. seen
that way, this list is even shorter for most users.
this priv revocation requires that your ptrace (ktrace, procfs,
whatever) has secure semantics, and we have been doing this to
utilities since tholo and i started doing it with kmem utilities about
6 years ago.
i might write up the situation for a few daemons as well.
for instance, in -current the portmap(8) after startup moves itself
into a chroot jail and uses a _portmap uid and gid. many other
daemons do this as well, including httpd(8). it is quite a stunning
change in affairs; my current worry hot-spot these days has moved back
to ftpd(8), which really needs a privsep overhaul like vsftpd.
i hope this explains the situation better.
120896 -r-sr-xr-x 1 root auth 12288 /usr/libexec/auth/login_passwd
120902 -r-sr-xr-x 1 root auth 12288 /usr/libexec/auth/login_krb4
120903 -r-sr-xr-x 1 root auth 12288 /usr/libexec/auth/login_krb4-or-pwd
120906 -r-sr-xr-x 1 root auth 24576 /usr/libexec/auth/login_chpass
120907 -r-sr-xr-x 1 root auth 16384 /usr/libexec/auth/login_lchpass
120908 -r-sr-xr-x 4 root auth 16384 /usr/libexec/auth/login_activ
120908 -r-sr-xr-x 4 root auth 16384 /usr/libexec/auth/login_crypto
120908 -r-sr-xr-x 4 root auth 16384 /usr/libexec/auth/login_snk
120908 -r-sr-xr-x 4 root auth 16384 /usr/libexec/auth/login_token
120917 -r-sr-xr-x 1 root auth 16384 /usr/libexec/auth/login_radius
120918 -r-sr-xr-x 1 root auth 16384 /usr/libexec/auth/login_krb5
120921 -r-sr-xr-x 1 root auth 16384 /usr/libexec/auth/login_krb5-or-pwd
- setuid root
- constrained inside group "auth" directory, hence, these
"authenticators" can only be executed by programs which
have permissions to enter the "auth" directory
- XXX some can/should be modified to revoke permissions
120897 -r-xr-sr-x 1 root auth 12288 /usr/libexec/auth/login_skey
- setgid auth
- constrained inside group "auth" directory, hence, these
"authenticators" can only be executed by programs which
have permissions to enter the "auth" directory
120938 -r-sr-xr-x 1 root bin 147456 /usr/libexec/ssh-keysign
- setuid root for key files
- opens key files, then revoke uid root
151156 -r-sr-x--- 1 root operator 151552 /sbin/shutdown
- setuid root to use reboot(2)
- restricted to group "operator"
- statically linked
151146 -r-sr-xr-x 1 root bin 163840 /sbin/ping
151189 -r-sr-xr-x 1 root bin 180224 /sbin/ping6
234540 -r-sr-xr-x 1 root bin 155648 /usr/sbin/timedc
234544 -r-sr-xr-x 1 root bin 155648 /usr/sbin/traceroute
234571 -r-sr-xr-x 1 root bin 155648 /usr/sbin/traceroute6
- setuid root for sockraw opening
- opens sockraw at startup, then revoke uid root
- statically linked
234499 -r-sr-xr-- 1 root network 372736 /usr/sbin/ppp
234502 -r-sr-xr-- 1 root network 110592 /usr/sbin/pppd
234531 -r-sr-xr-- 1 root network 12288 /usr/sbin/sliplogin
- setuid root
- restricted to group "network"
234425 -r-sr-sr-x 1 root authpf 65536 /usr/sbin/authpf
- setuid root for /dev/pf
- XXX setgid authpf for.. ?
- bails if missing config file
- opens /dev/pf
- revoke uid root and gid authpf as soon as possible
159211 -r-sr-xr-x 1 root bin 20480 /usr/bin/rsh
- setuid root for reserved port
- needs rresvport_af(3) (and kerberos does a one too)
- revokes after that
120876 -r-sr-xr-x 1 root bin 12288 /usr/libexec/lockspool
- setuid root to create lock files
- for spool locking
- can use a group "mail" for the spool?
159022 -r-sr-xr-x 3 root bin 24576 /usr/bin/chfn
159022 -r-sr-xr-x 3 root bin 24576 /usr/bin/chpass
159022 -r-sr-xr-x 3 root bin 24576 /usr/bin/chsh
- setuid root to change passwd files and run pwd_mkdb
- needs to tweak passwd files
159190 -r-sr-xr-x 1 root bin 32768 /usr/bin/passwd
- setuid root to change passwd files and run pwd_mkdb
- needs to tweak passwd files
- cannot revoke uid
159142 -r-sr-xr-x 1 root bin 24576 /usr/bin/login
- setuid root
- need to create full environment
- can call su in a special mode?
159250 -r-sr-xr-x 1 root bin 16384 /usr/bin/su
- setuid root
- need to create full environment
- cannot revoke uid
159265 -r-sr-xr-x 1 root bin 86016 /usr/bin/sudo
- setuid root
- need to create full environment
- cannot revoke uid
159382 -r-xr-sr-x 1 root daemon 24576 /usr/bin/lpq
234463 -r-xr-sr-x 1 root daemon 32768 /usr/sbin/lpc
234464 -r-xr-s--- 1 root daemon 65536 /usr/sbin/lpd
- setgid daemon
159383 48 -r-sr-sr-x 1 daemon daemon 24576 /usr/bin/lpr
159384 48 -r-sr-sr-x 1 daemon daemon 24576 /usr/bin/lprm
- setuid root
- setgid daemon
- XXX millert please explain
158856 -r-xr-sr-x 4 root crontab 28672 /usr/bin/at
158856 -r-xr-sr-x 4 root crontab 28672 /usr/bin/atq
158856 -r-xr-sr-x 4 root crontab 28672 /usr/bin/atrm
158856 -r-xr-sr-x 4 root crontab 28672 /usr/bin/batch
159033 -r-xr-sr-x 1 root crontab 28672 /usr/bin/crontab
- setgid crontab
159352 -r-xr-sr-x 1 root tty 16384 /usr/bin/wall
- setgid tty
- uses egid to open [file]
- does not revoke gid
159360 -r-xr-sr-x 1 root tty 12288 /usr/bin/write
- setgid tty
- revoke gid after opening device
159140 -r-xr-sr-x 1 root auth 12288 /usr/bin/lock
- setgid auth
159224 -r-xr-sr-x 1 root auth 12288 /usr/bin/skeyaudit
159225 -r-xr-sr-x 1 root auth 12288 /usr/bin/skeyinfo
159226 -r-xr-sr-x 1 root auth 20480 /usr/bin/skeyinit
- setgid auth
- should perhaps be another group?
120926 -r-xr-sr-x 1 root smmsp 552960 /usr/libexec/sendmail/sendmail
- XXX millert please describe this
159110 -r-xr-sr-x 1 root kmem 20480 /usr/bin/fstat
159158 -r-xr-sr-x 1 root kmem 12288 /usr/bin/modstat
159161 -r-xr-sr-x 1 root kmem 114688 /usr/bin/netstat
159264 -r-xr-sr-x 1 root kmem 49152 /usr/bin/systat
159350 -r-xr-sr-x 1 root kmem 28672 /usr/bin/vmstat
234506 -r-xr-sr-x 1 root kmem 20480 /usr/sbin/pstat
234545 -r-xr-sr-x 1 root kmem 12288 /usr/sbin/trpt
- setgid kmem for kvm_openfiles
- revoke gid kmem as soon as possible
288399 -r-xr-sr-x 1 root games 45056 /usr/games/atc
288403 -r-xr-sr-x 1 root games 192512 /usr/games/battlestar
288409 -r-xr-sr-x 1 root games 28672 /usr/games/canfield
288410 -r-xr-sr-x 1 root games 12288 /usr/games/cfscores
288411 -r-xr-sr-x 1 root games 28672 /usr/games/cribbage
288417 -r-xr-sr-x 1 root games 233472 /usr/games/hack
288421 -r-xr-sr-x 1 root games 147456 /usr/games/larn
288434 -r-xr-sr-x 1 root games 20480 /usr/games/robots
288435 -r-xr-sr-x 1 root games 114688 /usr/games/rogue
288436 -r-xr-sr-x 1 root games 69632 /usr/games/sail
288438 -r-xr-sr-x 1 root games 24576 /usr/games/snake
288439 -r-xr-sr-x 1 root games 24576 /usr/games/tetris
- setgid games
---
278658 -rwsr-sr-x 1 root utmp 262144 /usr/X11R6/bin/xterm
- suid root for pty allocation at startup, then revoke uid root
- sgid for utmp management, revoke gid utmp when not needed
- on exit, leaves pty's owned by wrong user (but revoke(2) works in OpenBSD)
/usr/X11R6/bin/XFree86
/usr/X11R6/bin/XF86_*
- setuid root
- on some architectures: early open /dev/xf86 & /dev/pci for mappings
- on some architectures: early open /dev/ttyC4 for virtual console
- on i386: i386_iopl(2) call
- for /var/log/XFree86.0.log creation
- user invocation: revokes root uid after the above setup
- xdm invocation: must still be solved, using uid _x11 and gid _x11
- retains elevated device mappings, but is definately safer
Visit your host, monkey.org