lenny@quincy.UUCP (Lenny Tropiano) (10/09/87)
Errata from last article: In my last article where I stated that /etc/lddrv/lddrv should be protected as 4750, instead of 4755, so not everyone can "allocate and deallocate system drivers..." Well I found out that "ipcs" uses this to see if the ipc (interprocess communication) driver is loaded. ipcs runs as setgid sys... you have two alternatives if you want the load-driver (lddrv) program protected: chown root /usr/bin/ipcs chmod 6755 /usr/bin/ipcs (setuid root, setgid sys) -or- chgrp sys /etc/lddrv/lddrv (probably more preferred) Someone else pointed out that my "find" statement would take a long time to run, since it exec'd "/bin/ls" for each file. A more refined find command would be... find / -perm -4000 -print | xargs ls -ld | more The permission mask 4000 can be changed to check any bit that you like. Thanks to the people who mentioned this. --------------------------------------------------------------------- A new possible problem is the protection of files at 777. Here are some of them: -rwxrwxrwx 1 root bin 0 Sep 6 23:58 /etc/.fontload -rwxrwxrwx 1 bin bin 14 Jan 1 1970 /etc/.modem -rwxrwxrwx 1 bin bin 64 Sep 20 17:28 /etc/.rs232 -rwxrwxrwx 1 root users 24101 Sep 27 09:38 /etc/lddrv/ate -rwxrwxrwx 1 root root 26784 Sep 27 09:38 /etc/lddrv/kbd -rwxrwxrwx 1 root root 34109 Sep 10 20:07 /etc/lddrv/lipc -rwxrwxrwx 1 root root 56982 Sep 10 23:01 /etc/lddrv/wind drwxrwxrwx 6 bin bin 1376 Oct 3 13:31 /usr/lib/ua Those drivers shouldn't be 777, 755 will do. -- Lenny Tropiano ...seismo!uunet!godfre!quincy!lenny -or- American LP Systems, Inc. ...cmcl2!phri!gor!helm!quincy!lenny -or- 1777-18 Veterans Memorial Hwy. ...mtune!quincy!lenny -or Islandia, New York 11722 +1 516-582-5525 ...ihnp4!icus!quincy!lenny
ford@crash.CTS.COM (Michael Ditto) (10/15/87)
In article <64@quincy.UUCP> lenny@quincy.UUCP (Lenny Tropiano) writes: >In my last article where I stated that /etc/lddrv/lddrv should be >protected as 4750, instead of 4755, so not everyone can "allocate >and deallocate system drivers..." Well I found out that "ipcs" uses >this to see if the ipc (interprocess communication) driver is loaded. NOBODY except root will ever need to install or remove drivers using /etc/lddrv/lddrv, so lddrv does not need to be set-uid to root. Since ipcs only does "/etc/lddrv/lddrv -q lipc" it does not need to be root at all. The best solution to the lddrv security problem is to do chmod 755 /etc/lddrv/lddrv That way anyone can look at the settings, but only root can change them, because the syslocal(2) system call only lets super-user change the driver configuration. -- Mike Ditto -=] Ford [=- P.O. Box 1721 ford@crash.CTS.COM Bonita, CA 92002 ford%oz@prep.mit.ai.edu