[Summary] Preventing sticking bits from executing

From: Genovezos, George (George.Genovezos@sabre-holdings.com)
Date: Wed May 19 2004 - 18:15:17 EDT

• Next message: Roy Lo: "Summary: question on put netcool in jumpstart"
• Previous message: Kevin A. Sindhu: "Faulty CPU/Board?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks to Kevin A. Sindhu who did not answer with "ftp changes permissions"
;)

I do apologize for the malformed question with "root sticky bit" yes I did
mean setuid bit. And I was vague with the uploading because I did not want to
get into any particular command. Upload could mean through a vulnerability or
anything.

Thanks to all who responded.

Here is a product that will prevent setuid's from occurring
http://www.roqe.org/papillon/

"2.2.5. Setuid Execution Protection
A lot of vulnerabilities that allow a local attacker to change his privileges
exploit bugs in setuid
or setgid binaries. Usually the attacker executes a shell or another program
from within the setuid
or setgid binary to gain more privileges.
The Setuid Execution Protection monitors the execution of programs on the
system and is activated
whenever a program with the setuid or setgid bit executes a child program. The
protection
can be used to simply log the execution of these child programs or might also
be used to deny
any execution of child programs from within setuid or setgid programs (which
might be too restrictive).
Before Papillon is compiled, the white-list of programs that don't pass this
protection
can be extended with programs that are known to be secure. An example output
from the syslog
is listed below.
Mar 26 19:01:31 fluffy papillon: WARNING: Executing /tmp/a by
setuid parent /tmp/b (cmd: /tmp/b, pid: 5039, uid: 101, gid: 10).
Papillon intercepts the execve() system call to monitor the execution of
programs and their
parent processes. The p_exec entry is used to retrieve the parent process'
vnode."

George Genovezos, CISSP
Sabre IT Security
Sabre Holdings Inc.
Southlake, TX US 76092
682-605-1375

 -----Original Message-----
From: sunmanagers-bounces@sunmanagers.org
[mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Genovezos, George
Sent: Wednesday, May 19, 2004 4:01 PM
To: sunmanagers@sunmanagers.org
Subject: Preventing sticking bits from executing

Hi all,

I have a question.
What prevents a user from uploading a shell script with a root sticky bit and
executing it?
Is there a way of allowing only certain "approved" files executing and
denying
the rest?
George Genovezos, CISSP
Sabre IT Security
Sabre Holdings Inc.
Southlake, TX US 76092
682-605-1375
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Roy Lo: "Summary: question on put netcool in jumpstart"
• Previous message: Kevin A. Sindhu: "Faulty CPU/Board?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:42 EDT