[Summary] Preventing sticking bits from executing

From: Genovezos, George (George.Genovezos_at_sabre-holdings.com)
Date: 05/20/04

  • Next message: Roy Lo: "Summary: question on put netcool in jumpstart"
    Date: Wed, 19 May 2004 17:15:17 -0500
    To: <sunmanagers@sunmanagers.org>
    
    

    Thanks to Kevin A. Sindhu who did not answer with "ftp changes permissions"
    ;)

    I do apologize for the malformed question with "root sticky bit" yes I did
    mean setuid bit. And I was vague with the uploading because I did not want to
    get into any particular command. Upload could mean through a vulnerability or
    anything.

    Thanks to all who responded.

    Here is a product that will prevent setuid's from occurring
    http://www.roqe.org/papillon/

    "2.2.5. Setuid Execution Protection
    A lot of vulnerabilities that allow a local attacker to change his privileges
    exploit bugs in setuid
    or setgid binaries. Usually the attacker executes a shell or another program
    from within the setuid
    or setgid binary to gain more privileges.
    The Setuid Execution Protection monitors the execution of programs on the
    system and is activated
    whenever a program with the setuid or setgid bit executes a child program. The
    protection
    can be used to simply log the execution of these child programs or might also
    be used to deny
    any execution of child programs from within setuid or setgid programs (which
    might be too restrictive).
    Before Papillon is compiled, the white-list of programs that don't pass this
    protection
    can be extended with programs that are known to be secure. An example output
    from the syslog
    is listed below.
    Mar 26 19:01:31 fluffy papillon: WARNING: Executing /tmp/a by
    setuid parent /tmp/b (cmd: /tmp/b, pid: 5039, uid: 101, gid: 10).
    Papillon intercepts the execve() system call to monitor the execution of
    programs and their
    parent processes. The p_exec entry is used to retrieve the parent process'
    vnode."

    George Genovezos, CISSP
    Sabre IT Security
    Sabre Holdings Inc.
    Southlake, TX US 76092
    682-605-1375

     -----Original Message-----
    From: sunmanagers-bounces@sunmanagers.org
    [mailto:sunmanagers-bounces@sunmanagers.org] On Behalf Of Genovezos, George
    Sent: Wednesday, May 19, 2004 4:01 PM
    To: sunmanagers@sunmanagers.org
    Subject: Preventing sticking bits from executing

    Hi all,

    I have a question.
    What prevents a user from uploading a shell script with a root sticky bit and
    executing it?
    Is there a way of allowing only certain "approved" files executing and
    denying
    the rest?
    George Genovezos, CISSP
    Sabre IT Security
    Sabre Holdings Inc.
    Southlake, TX US 76092
    682-605-1375
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers
    _______________________________________________
    sunmanagers mailing list
    sunmanagers@sunmanagers.org
    http://www.sunmanagers.org/mailman/listinfo/sunmanagers


  • Next message: Roy Lo: "Summary: question on put netcool in jumpstart"

    Relevant Pages