pavel@DGP.TORONTO.EDU (Pavel Rozalski) (11/14/89)
I was just taking a look at one of the local Iris 4D's shipped with
IRIX 3.2 and thought I would run some find commands. Here are some
findings and comments.
Set GID:
-rwxr-sr-x 1 root wheel 94256 Sep 27 17:52 /etc/fuser
---x--s--x 1 root wheel 8240 Sep 27 17:52 /etc/killall
-rwxr-sr-x 1 root wheel 61488 Sep 27 17:52 /etc/savecore
-rwxr-sr-x 1 bin wheel 20528 Sep 27 17:52 /etc/whodo
Probably none of the above need to be set GID - killall will only do
stuff if the UID is root anyway.
Set UID:
-rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/accept
-rwsrwsr-x 1 root bin 69680 Sep 27 17:55 /usr/lib/lpadmin
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:55 /usr/lib/lpmove
-rwsrwsr-x 1 root bin 102400 Sep 27 17:55 /usr/lib/lpsched
-rwsrwsr-x 1 lp bin 49200 Sep 27 17:55 /usr/lib/lpshut
-rwsrwsr-x 1 lp bin 53296 Sep 27 17:55 /usr/lib/reject
The above all have to do with line printer administration - since they
all should probably be run by root, there is probably no reason they
should be set UID.
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/cancel
-rwsrwsr-x 1 lp bin 57392 Sep 27 17:53 /usr/bin/disable
-rwsrwsr-x 1 lp bin 12336 Sep 27 17:53 /usr/bin/enable
-rwsrwsr-x 1 lp bin 69680 Sep 27 17:53 /usr/bin/lp
-rwsrwsr-x 1 lp bin 65584 Sep 27 17:53 /usr/bin/lpstat
User lp commands - probably some of these need to be set UID if you
want to put up with lp and friends.
-rwsr-xr-x 1 root wheel 151728 Sep 27 17:56 /usr/sbin/gr_osview
This works just as well when it isn't set UID (as far as I could tell).
-rwsrwsr-x 1 root bin 471216 Sep 27 18:06 /usr/lib/vadmin/disks
-rwsr-xr-x 1 root bin 467120 Sep 27 18:06 /usr/lib/vadmin/networking
-rwsr-xr-x 1 root bin 438448 Sep 27 18:06 /usr/lib/vadmin/printers
-rwsrwsr-x 1 root bin 352432 Sep 27 18:06 /usr/lib/vadmin/serial_ports
-rwsrwsr-x 1 root bin 454832 Sep 27 18:06 /usr/lib/vadmin/users
-rwsr-xr-x 1 root wheel 53296 Sep 27 17:53 /usr/bin/crontab
-rwsr-xr-x 1 root wheel 77872 Nov 6 16:20 /usr/bin/under
-r-sr-xr-x 1 root wheel 73776 Sep 27 17:54 /usr/etc/ping
-rwsr-xr-x 1 root wheel 94208 Sep 27 17:54 /usr/etc/timedc
-rwsr-xr-x 1 root wheel 155696 Sep 27 17:56 /usr/sbin/bru
-rwsr-xr-x 1 root wheel 131184 Sep 27 17:56 /usr/sbin/edge
-rwsr-xr-x 1 root bin 274608 Sep 27 18:07 /usr/sbin/systemdown
-rwsr-xr-x 1 root bin 372912 Sep 27 18:07 /usr/sbin/vadmin
I don't know about the above. I doubt very much that edge, a debugger,
must be set UID...
Writeable files:
drwxrwxrwx 3 root mail 512 Nov 6 14:31 /usr/mail
drwxrwxrwx 2 root mail 512 Nov 6 14:31 /usr/mail/:saved
Do you really want to keep around a mail system that *requires*
permissions like that? Not only is mail forgery trivial but I doubt if
it is desirable to have users store their files there.
-rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/at.deny
-rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/cron.deny
Not sure about those two.
-rw-rw-rw- 1 root wheel 0 Nov 9 23:20 /usr/lib/aliases.dir
-rw-rw-rw- 1 root wheel 1024 Nov 9 23:20 /usr/lib/aliases.pag
Bad hole - lets average user redirect anyone's mail and get sendmail
to run any program as daemon. Not safe. I can provide details.
-rw-rw-rw- 1 bin bin 652 Sep 27 18:06 /usr/sbin/IRIS_Visualizer
-rw-rw-rw- 1 bin bin 377 Sep 27 18:07 /usr/sbin/quickmodel
-rw-rw-rw- 1 bin bin 374 Sep 27 18:07 /usr/sbin/quickpaint
-rw-rw-rw- 1 tutor 997 910 Sep 27 17:57 /usr/tutor/getstart/textfile
-rw-rw-rw- 1 root wheel 3 Nov 9 23:20 /etc/syslog.pid
-rw-rw-rw- 1 root wheel 0 Nov 13 21:57 /etc/rmtab
Not sure about those.
I doubt if many of the above files should have the permissions they
are shipped with. Perhaps someone at SGI could confirm which of those
files really need to be set UID or world writeable.
Pavel Rozalski
UUCP: ..!uunet!dgp.toronto.edu!pavel
Bitnet: pavel@dgp.utoronto
Internet/Ean: pavel@dgp.toronto.{edu,cdn} vjs@rhyolite.wpd.sgi.com (Vernon Schryver) (11/15/89)
In article <8911140720.AA15210@explorer.dgp.toronto.edu>, pavel@DGP.TORONTO.EDU (Pavel Rozalski) writes: > I was just taking a look at one of the local Iris 4D's shipped with > IRIX 3.2 and thought I would run some find commands. Here are some > findings and comments. > > Set GID: > > -rwxr-sr-x 1 root wheel 94256 Sep 27 17:52 /etc/fuser > ---x--s--x 1 root wheel 8240 Sep 27 17:52 /etc/killall > -rwxr-sr-x 1 root wheel 61488 Sep 27 17:52 /etc/savecore > -rwxr-sr-x 1 bin wheel 20528 Sep 27 17:52 /etc/whodo > > Probably none of the above need to be set GID - killall will only do > stuff if the UID is root anyway. One assumes that your "wheel" is an addition to your /etc/groups, and is defined as 0. If not, all of the files with group "wheel" were changed at your site. Killall should be sgid=sys, because it is a great program. It will kill anything you have permission to kill. It is an extremely simple and fast replacement for the usual `ps -le | grep blah-de-blah | xargs kill` Fuser is also usefully sgid=sys. Savecore seems a little odd, since it should only be run by root. > ... > Writeable files: > > drwxrwxrwx 3 root mail 512 Nov 6 14:31 /usr/mail > drwxrwxrwx 2 root mail 512 Nov 6 14:31 /usr/mail/:saved This is a bug. They should be 775, since all of the programs that need to muck with these directories are sgid=mail. > -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/at.deny > -rw-rw-rw- 1 root wheel 0 Sep 27 18:39 /usr/lib/cron/cron.deny > > Not sure about those two. This is a bug, or a local problem like the following: > -rw-rw-rw- 1 root wheel 0 Nov 9 23:20 /usr/lib/aliases.dir > -rw-rw-rw- 1 root wheel 1024 Nov 9 23:20 /usr/lib/aliases.pag > > Bad hole - lets average user redirect anyone's mail and get sendmail > to run any program as daemon. Not safe. I can provide details. This does not happen here on a machine with 3.2 installed "clean" (i.e. the disks scrubbed). Is it possible that some script, .profile, etc of yours does a `umask 0`? > I doubt if many of the above files should have the permissions they > are shipped with. Perhaps someone at SGI could confirm which of those > files really need to be set UID or world writeable. > > Pavel Rozalski > UUCP: ..!uunet!dgp.toronto.edu!pavel > Bitnet: pavel@dgp.utoronto > Internet/Ean: pavel@dgp.toronto.{edu,cdn} Other people should comment on the other files. In general, this is an interesting list. Vernon Schryver Silicon Graphics vjs@sgi.com