FAQ Article: What are SUID Binaries and why are they dangerous? |
Let's first establish what SUID is - SUID is short for Set User ID. As we explained in the previous topic, commands/files you execute always run with your privileges on the system - makes sense for security purposes, right? wrong - this is where SUID comes in.
SUID files can be run with the privileges of the person who SUID'd them. When you run a program with the suid bit set, the program is run as the owner of the program rather than as you, the person running it. This means that when it is running the program has access to all of it's owners files and privileges. Does this sound dangerous to you? should do...because it is - but it's sometimes necessary.
Let's take an example now, say the unix "passwd" command (which you can use to change your password for logging into the system). This is a typical use of the passwd program:
$ passwd
Changing password for wang
(current) UNIX password:
New UNIX password:
Password changed
Have you ever sat back and thought "what does it actually have to do to change my password?" - well, The passwd program has to be able to update the /etc/passwd and /etc/shadow files (or equivalent, depending on what *nix you are using), which are owned by root - so therefore, a typical binary not owner by root wouldn't be able to do it...and passwd must run as root to do this.
So the dilemma is set - the program must be owner by root and modify files that only root should be able to modify - but allow you to run it as standard user. So, how does passwd achieve this? it is SUID - as the ls -l shows:
-rwsr-xr-x 1 root root 27K Jul 8 17:01 passwd
Notice the "s" in the privileges - that's how you identify the SUID binary. Therefore, passwd works because it's owner is root and it has the suid bit set - so we run passwd as our user, but the system automatically makes it run as root.
This is all well and good, and you can no doubt see why SUID binaries are useful...however, there should also be alarm bells ringing in your heads. What if...the program was exploitable somehow - what if you could make the program execute any command you wish? if you could...it would execute any command you wish, not at your privilege level -but at the SUID level.
Therefore, SUID-root programs are the largest security threat...since you can't get any better than being able to execute any command you wish as root!
SUID programs are so dangerous are also very dangerous because interaction with the untrusted user begins before the program is even started. There are many ways to confuse the program, using things like environment variables, signals, or anything you want.
Exactly this 'confusion' of a program is a cause of frequent buffer overflows (which we will cover). More than 50 % of all major security bugs leading to releases of security advisors are accounted to SUID programs. And some distributions of *nix are shipped with hundreds of these suid programs, most of which you'll probably never use.
Of course there are few which are necessary, in order that normal user might perform operations which are normally done by root (like the passwd example). So, we have another dilemma - we don't want to have risky SUID programs on our system....but we can't delete them all. Doh.
First things first...is there a quick way to find all the SUID binaries on my system? Yes - execute the following command from a shell:
for i in `find / -perm +6000 -type f`; do ls -aFl $i >> suids; done
This is a really good way of finding them, since it will go through searching and create a file in your current directory called "suids" which has the ls -l output of the SUID binary for you to see. If the above command doesn't work, it may be because the above command relies on GNU find, and you might be on a *nix variation with a less-friendly find...therefore try:
'find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -l {} \;
If you ran the first command above, you can then just "cat suids" or read it in your favourite editor (pico suids, vi suids, vim suids, etc) to see the list of SUID binaries found. If you ran the second find string...you should see the list appear in the shell as it searches.
You will see all the usual suspects there - all the SUID one's you need, such as passwd, su, mount etc - but unfortunately, since every distribution and unix system will be different, I can't tell you which ones you need and which ones you don't :( - it will be process of discovery for you. Here is just a small list of the really common "ok" expected SUID binaries (there may be a lot more on yours though, don't panic)
/usr/bin/crontab
/usr/bin/newgrp
/usr/bin/passwd
/usr/local/bin/ssh
/usr/local/bin/screen-3.7.2
/usr/X11R6/bin/xload
/usr/X11R6/bin/xterm
/usr/X11R6/bin/XF86_Mach32
/var/qmail/bin/qmail-queue
/bin/su
The best way of doing it, is to log all the SUID binaries you have when you first put your system live...and then monitor the system to see if any odd SUID binaries are added at a later date.
Bear in mind that a strange SUID binary appearing, could be the sign of a hacker backdooring an account. Just in case you do need to remove the SUID bit on something - it can be achieved by executing the chmod command like so:
chmod -s
We briefly mentioned earlier that buffer overflows are tied to SUID binaries being dangerous. This is because our worst fear, being able to make a SUID-root binary (or similar) execute any command of your choice, can come true if a buffer overflow exploit exists in the SUID program.
I planned to include a topic on Buffer Overflows as the next topic in this faq volume, but I realised that there are so many excellent texts on it already, that I would only be rehashing what other people have said. Please google for more information on this topic.
|
Posted on: 02-04-2005
Article has been viewed 30848 times
|
|
Comments |
Comment by marvin - 01-02-2006
where can i get my shell?
Comment by Wang - 02-02-2006
Dont be lazy! If you type shell account into Google.com you will get lots of results featuring companies who provide free and paid *nix shell account hosting.
Comment by zzz - 06-05-2008
10x dude. Nice article for *nix beginners.
Post a comment
Please use the form below to post your comments on this article. All comments will be reviewed by the admin before being published publically.
|
|