On Tuesday 06 January 2015, whoami toask wrote:
> Hello,
>
> isn't there too much SUID/SGID files on a default OpenBSD install?
>
> Can this number be reduced?
Of course it can!
$ find / -perm -4000 -o -perm -2000 -exec chmod 0 {} \;
> Example: why does wall, write, modstat need an SGID?
>
> # uname -a
> OpenBSD notebook.lan 5.6 GENERIC.MP#333 amd64
> # find / -perm -4000 -o -perm -2000 -ls -print
> 78047 5856 -rwxr-sr-x 1 root auth 2970920 Aug 6 21:45
> /usr/X11R6/bin/xlock/usr/X11R6/bin/xlock 78068 1216 -rwxr-sr-x 1 root
> utmp 592056 Aug 6 22:09 /usr/X11R6/bin/xterm/usr/X11R6/bin/xterm
> 1147497 60 -r-xr-sr-x 1 root kmem 30200 Jul 31 11:50
> /usr/local/bin/libgtop_server2/usr/local/bin/libgtop_server2 78031 32
> -r-xr-sr-x 1 root utmp 15864 Jul 31 09:57
> /usr/local/libexec/gnome-pty-helper/usr/local/libexec/gnome-pty-helper
> 155910 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06
> /usr/bin/at/usr/bin/at 155910 84 -r-xr-sr-x 4 root crontab
> 41752 Aug 8 08:06 /usr/bin/atq/usr/bin/atq 155910 84 -r-xr-sr-x 4
> root crontab 41752 Aug 8 08:06 /usr/bin/atrm/usr/bin/atrm 155910
> 84 -r-xr-sr-x 4 root crontab 41752 Aug 8 08:06
> /usr/bin/batch/usr/bin/batch 155943 72 -r-xr-sr-x 1 root crontab
> 36504 Aug 8 08:06 /usr/bin/crontab/usr/bin/crontab 156014 24
> -r-xr-sr-x 1 root auth 11672 Aug 8 08:06
> /usr/bin/lock/usr/bin/lock 156019 60 -r-xr-sr-x 1 root daemon
> 28952 Aug 8 08:06 /usr/bin/lpq/usr/bin/lpq 156033 20 -r-xr-sr-x 1
> root _lkm 8952 Aug 8 08:06 /usr/bin/modstat/usr/bin/modstat
> 156035 292 -r-xr-sr-x 1 root kmem 148216 Aug 8 08:06
> /usr/bin/netstat/usr/bin/netstat 156093 24 -r-xr-sr-x 1 root auth
> 11544 Aug 8 08:06 /usr/bin/skeyaudit/usr/bin/skeyaudit 156094 16
> -r-xr-sr-x 1 root auth 8184 Aug 8 08:06
> /usr/bin/skeyinfo/usr/bin/skeyinfo 156095 44 -r-xr-sr-x 1 root
> auth 20632 Aug 8 08:06 /usr/bin/skeyinit/usr/bin/skeyinit 156105
> 704 -r-xr-sr-x 1 root _sshagnt 333656 Aug 8 08:07
> /usr/bin/ssh-agent/usr/bin/ssh-agent 156112 284 -r-xr-sr-x 1 root
> kmem 144568 Aug 8 08:06 /usr/bin/systat/usr/bin/systat 156146 32
> -r-xr-sr-x 1 root tty 15928 Aug 8 08:06
> /usr/bin/wall/usr/bin/wall 156152 28 -r-xr-sr-x 1 root tty
> 13080 Aug 8 08:06 /usr/bin/write/usr/bin/write 103939 40 -r-xr-sr-x 4
> root _token 20344 Aug 8 08:06
> /usr/libexec/auth/login_activ/usr/libexec/auth/login_activ 103939 40
> -r-xr-sr-x 4 root _token 20344 Aug 8 08:06
> /usr/libexec/auth/login_crypto/usr/libexec/auth/login_crypto 103943 40
> -r-xr-sr-x 1 root _radius 19928 Aug 8 08:06
> /usr/libexec/auth/login_radius/usr/libexec/auth/login_radius 103945 24
> -r-xr-sr-x 1 root auth 11608 Aug 8 08:06
> /usr/libexec/auth/login_skey/usr/libexec/auth/login_skey 103939 40
> -r-xr-sr-x 4 root _token 20344 Aug 8 08:06
> /usr/libexec/auth/login_snk/usr/libexec/auth/login_snk 103939 40
> -r-xr-sr-x 4 root _token 20344 Aug 8 08:06
> /usr/libexec/auth/login_token/usr/libexec/auth/login_token 103947 40
> -r-xr-sr-x 1 root auth 20408 Aug 8 08:06
> /usr/libexec/auth/login_yubikey/usr/libexec/auth/login_yubikey 103987 1568
> -r-xr-sr-x 1 root smmsp 783576 Aug 8 08:08
> /usr/libexec/sendmail/sendmail/usr/libexec/sendmail/sendmail 52023 80
> -r-xr-sr-x 1 root daemon 39736 Aug 8 08:06
> /usr/sbin/lpc/usr/sbin/lpc 52024 160 -r-xr-s--- 1 root daemon
> 80952 Aug 8 08:06 /usr/sbin/lpd/usr/sbin/lpd 52073 52 -r-xr-sr-x 1
> root kmem 24664 Aug 8 08:06 /usr/sbin/pstat/usr/sbin/pstat
> 519680 4 drwxrws--- 2 root wheel 512 Aug 8 08:05
> /var/audit/var/audit # find / -perm -4000 -o -perm -2000 -ls -print | wc -l
> 32
>
> Thanks,
>
> have a secure day!
--
"Action without study is fatal. Study without action is futile."
-- Mary Ritter Beard
