Re: /bin/ping is group writtable
On 8/27/06, Bruce Dubbs <[EMAIL PROTECTED]> wrote: Robert Connolly wrote: > > I agree that only trusted users should be in group root, but being in someones > group should not allow escalation to taking over the account. It undermines > the purpose of having groups. We are saying that it's not really a significant vulnerability. Yes, it could be used to escalate to a uid root by someone in the root group if the administrator is stupid and adds a user to the root group. It would also be stupid to `chmod -R o+w /bin`. We just can't stop every possible misconfiguration admins can make. I have to agree with Robert on this one. If something is known to install with weak permissions, I think we should change them instead of writing it off as bad packaging. The fix is simple enough. -- Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
On Monday 28 August 2006 03:24, Robert Connolly wrote: > sed 's/4775/4755/' -i ping/Makefile.in First, I think the shown way is a hack a little. It's better to do the following after installation: chmod 4711 /bin/ping Second, shouldn't it be 4711 rather than 4755? The read-by-others access to a SUID file is a security hole. -- Nothing but perfection pv -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
Dan Nicholson wrote these words on 08/28/06 08:52 CST: > I have to agree with Robert on this one. If something is known to > install with weak permissions, I think we should change them instead > of writing it off as bad packaging. The fix is simple enough. The argument is not the permissions of a file. Bruce and I are saying that it is improper to add anyone to the root group (which makes this whole discussion moot, as there should be no users in the root group). However, at this point, the discussion should probably be dropped as Bruce and are arguing one thing, and you and Robert are refuting our statements with an argument about something completely different. -- Randy rmlscsi: [bogomips 1003.23] [GNU ld version 2.16.1] [gcc (GCC) 4.0.3] [GNU C Library stable release version 2.3.6] [Linux 2.6.14.3 i686] 13:17:00 up 3 days, 21:47, 1 user, load average: 0.04, 0.04, 0.01 -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
On 8/28/06, Randy McMurchy <[EMAIL PROTECTED]> wrote: Dan Nicholson wrote these words on 08/28/06 08:52 CST: > I have to agree with Robert on this one. If something is known to > install with weak permissions, I think we should change them instead > of writing it off as bad packaging. The fix is simple enough. The argument is not the permissions of a file. Bruce and I are saying that it is improper to add anyone to the root group (which makes this whole discussion moot, as there should be no users in the root group). No, I agree with that point. Under normal operations and normal use case, this isn't an issue. But, it's weaker permissions than it needs to be and is more susceptible to a security breach. Not a big deal, though. I was just saying I agreed with Robert. I don't want to get into an ugly debate about this. -- Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
Vladimir A. Pavlov wrote: > On Monday 28 August 2006 03:24, Robert Connolly wrote: >> sed 's/4775/4755/' -i ping/Makefile.in > > First, I think the shown way is a hack a little. It's better to do the > following after installation: > > chmod 4711 /bin/ping > > Second, shouldn't it be 4711 rather than 4755? The read-by-others access > to a SUID file is a security hole. I even would go one step further, a normal user is not able to troubleshoot network problems so why should he pe able to ping? chmod 0711 /bin/ping [EMAIL PROTECTED]:~$ ping www.goole.de ping: ping must run as root can't init ping: Operation not permitted Every SUID program is potentially dangerous. However, I don't want to start a flamewar about this... Thorsten -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
Vladimir A. Pavlov wrote: > On Monday 28 August 2006 03:24, Robert Connolly wrote: >> sed 's/4775/4755/' -i ping/Makefile.in > > First, I think the shown way is a hack a little. It's better to do the > following after installation: > > chmod 4711 /bin/ping > > Second, shouldn't it be 4711 rather than 4755? The read-by-others access > to a SUID file is a security hole. Blocking read access wouldn't hurt anything, but wouldn't gain anything either. Do you care if someone can copy the file? Virtually everything in /bin is 755 and some have the suid bit set too. You are free to remove the read permissions on your system if you want. Looking in my /bin, these are the non-755 files: 555: bashbug, kill, ps 4755: mount, passwd, su, mount 4775: ping -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: German LFS
On 8/26/06, Thomas Reitelbach <[EMAIL PROTECTED]> wrote: Hello, the german translation of LFS 6.2 is now available at the usual ressource: http://oss.erdfunkstelle.de/lfs-de/ I'm sorry for the delay of 3 weeks, i've been busy with other important things. Done. Thanks. http://www.linuxfromscratch.org/lfs/read.html -- Dan -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
Robert Connolly wrote: > I don't know how many of you feel comfortable with an suid-root program being > group writtable. I suggest we add: > > sed 's/4775/4755/' -i ping/Makefile.in > > to the LFS book. Did I mention that the ping in inetutils sucks? There is a much better on in the iputils package: http://packages.debian.org/unstable/net/iputils-ping It is much better for things like scripting where the user can specify things like timeouts, the interface to use, tos bits, ttl, etc. See the man page at http://www.die.net/doc/linux/man/man8/ping.8.html The Makefile doesn't have an install, so you have to copy the program and man pages with whatever permissions you want. -- Bruce -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
Re: /bin/ping is group writtable
As-is the /bin/ping permissions in LFS is not exploitable. You have to go out of your way to make it so, and the same could be said about countless other configurations. Changing the permission on /bin/ping wouldn't have any affect on the security of the vanilla system, and only serves a "what if" scenario, and if we start reconfiguring the system based on every "what if" it would quickly get ludicrous. The permissions on /bin/ping struck me as bizare, and I thought it was worth mentioning. robert pgpftpDR4OBrW.pgp Description: PGP signature -- http://linuxfromscratch.org/mailman/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
