Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
then you have to trust your security admin

... and now guess who that might be. ;-)

But that's not all of the problem. You don't just have to trust root that he is not malicious. You also have to trust root that he is not lazy, uninformed or simply stupid: Imagine a secuity bug in a completely unrelated program running setuid root or a service started as root. A trustworthy root should install the relevant security update; and he should disable that program or service or at least apply a workaround while no update is available. And root should not give out permissions to any user like candy. Imagine a root doing chmod 4755 exe && chown 0:0 exe for any program a student or intern or manager demands that for. Imagine a root allowing anyone to load a new kernel module.

Update: There are usually more setuid/setgid programs than you might expect. Just for fun, I ran this little script:

#!/usr/bin/perl use v5.12; use warnings; use autodie qw( :all ); my %seen; my @path=grep { !$seen{$_}++ } split /:/,$ENV{'PATH'}; for my $dirname (@path) { opendir(my $dir,$dirname); while (readdir $dir) { next if -l "$dirname/$_"; next unless -f -x _; (undef,undef,my $mode)=stat _; unless (defined $mode) { warn "Can't stat $dirname/$_: $!\n"; next; } ($mode & 06000) or next; printf("%04o %s\n",($mode & 07777),"$dirname/$_"); } closedir $dir; }

It found 36 binaries in $ENV{'PATH'} running setuid or setgid on my home server:

4511 /sbin/mount.nfs 4711 /usr/bin/newuidmap 4755 /usr/bin/pkexec 4711 /usr/bin/newgidmap 4711 /usr/bin/newgrp 2755 /usr/bin/write 2755 /usr/bin/wall 4711 /usr/bin/traceroute6 4755 /usr/bin/cgexec 4711 /usr/bin/crontab 4711 /usr/bin/expiry 4711 /usr/bin/gpasswd 2755 /usr/bin/slocate 2751 /usr/bin/xlock 4750 /usr/bin/fdmount 4711 /usr/bin/chfn 4711 /usr/bin/passwd 4711 /usr/bin/sudo 2755 /usr/bin/lockfile 4711 /usr/bin/chage 4711 /usr/bin/chsh 6755 /usr/bin/procmail 4711 /bin/ping6 4755 /bin/umount 4755 /bin/mount 4711 /bin/ping 4755 /bin/fusermount 4711 /bin/su 4511 /opt/VirtualBox/VirtualBox 4511 /opt/VirtualBox/VBoxVolInfo 4511 /opt/VirtualBox/VBoxSDL 4511 /opt/VirtualBox/VBoxNetAdpCtl 4511 /opt/VirtualBox/VBoxHeadless 4511 /opt/VirtualBox/VBoxNetDHCP 4511 /opt/VirtualBox/VBoxNetNAT 4755 /opt/exim/bin/exim-4.72-1

I should ask root a.k.a. myself: Do I need all of these? Do all of these have to run setuid? Are there more, in directories outside $ENV{'PATH'}?


Today I will gladly share my knowledge and experience, for there are no sweeter words than "I told you so". ;-)

In reply to Re^5: How can a script use a password without making the password visible? by afoken
in thread How can a script use a password without making the password visible? by Cody Fendant

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others imbibing at the Monastery: (7)
    As of 2019-05-22 21:46 GMT
    Find Nodes?
      Voting Booth?
      Do you enjoy 3D movies?

      Results (140 votes). Check out past polls.

      • (Sep 10, 2018 at 22:53 UTC) Welcome new users!