[PLUG] [Updates]PLUG meeting on 6th Oct. at 5pm @SICSR

Sunil Beta Baskar betasam at gmail.com
Mon Oct 15 16:18:30 PDT 2012


On 11 October 2012 13:19, Arun Khan <knura9 at gmail.com> wrote:
> On Sun, Oct 7, 2012 at 10:20 AM, Sunil Beta Baskar <betasam at gmail.com> wrote:
>
> ... snip ...
>
>> [ SetUID bit ]
>> Behavior on linux-kernel 3.2.x with
>> $ chmod a+s somefolder
>> $ ls -ltr somefolder
>> shows all files inside somefolder with their original rights and
>> *owners* on ext4. This is on Debian Wheezy.
>>
>> Although the setUID bit is still used, it is not recommended if you
>> want to have any sense of security on a system.
>
> Per your recommendation about usage of SetUID bit, please suggest
> alternatives for the following that come to my mind offhand (I :
>
> $ for x in sudo X chsh passwd; do ls -l $(which ${x}); done
> -rwsr-xr-x 1 root root 71248 Jan 31  2012 /usr/bin/sudo
> -rwsr-sr-x 1 root root 10184 Mar 22  2012 /usr/bin/X
> -rwsr-xr-x 1 root root 37096 Apr  9  2012 /usr/bin/chsh
> -rwsr-xr-x 1 root root 42824 Apr  9  2012 /usr/bin/passwd

The best alternative (except for sudo) is to use 'file capabilities'
which can be manipulated using setcap. Here's a list of all the setuid
programs in a GNU/Linux distribution and how you could remove
setuid/setgid and choose file capabilities in a more fine-grained
manner. The package candidate for installing setcap is libcap2-bin on
my Debian Wheezy box.

https://wiki.archlinux.org/index.php/Using_File_Capabilities_Instead_Of_Setuid

X can be run without the setuid bit, that can be done if you have
enough time to build it. The tough one from which you'd want to pull
that setuid bit off would be 'mount'; right now it results in
permission nightmares.

Beta



More information about the plug-mail mailing list