Archive for May, 2012

SBDavid

How to set Daemon umask

How to set Daemon umask

Edit the file /etc/sysconfig/init, and add or correct the following line:

umask 027

The settings file /etc/sysconfig/init contains settings which apply to all processes started at boot time.

The system umask must be set to at least 022, or daemon processes may create world-writable files. The more restrictive setting 027 protects files, including temporary files and log files, from unauthorized reading by unprivileged users on the system. If a particular daemon needs a less restrictive umask, consider editing the startup script or sysconfig file of that
daemon to make a specific exception.

How to find Unauthorized SUID/SGID System Executables and fix them.

The following command discovers and prints any setuid or setgid files on local partitions. Run it once for each local partition PART:

# find PART -xdev \( -perm -4000 -o -perm -2000 \) -type f -print

If the file does not require a setuid or setgid bit as discussed below, then these bits can be removed with the command:

# chmod -s file

How to verify that all World-Writable Directories Have Proper Ownership

Locate any directories in local partitions which are world-writable and ensure that they are owned by root or another system account.

The following command will discover and print these (assuming only system accounts have a uid lower than 500). Run it once for each local partition PART:

# find PART -xdev -type d -perm -0002 -uid +500 -print

If this command produces any output, investigate why the current owner is not root or another system account.

Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users.

SBDavid

How to find and Repair Unowned Files

How to find and Repair Unowned Files

The following command will discover and print any files on local partitions which do not belong to a valid user and a valid group. Run it once for each local partition PART:

# find PART -xdev \( -nouser -o -nogroup \) -print

If this command prints any results, investigate each reported file and either assign it to an appropriate user and group or remove it.

Unowned files are not directly exploitable, but they are generally a sign that something is wrong with some system process. They may be caused by an intruder, by incorrect software installation or incomplete software removal, or by failure to remove all files belonging to a deleted account. The files should be repaired so that they will not cause problems when accounts are created in the future, and the problem which led to unowned files should be discovered and addressed.

Security - verify that All World-Writable Directories Have Sticky Bits Set

Locate any directories in local partitions which are world-writable and do not have their sticky bits set. The following command will discover and print these. Run it once for each local partition:

# find PARTITION -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

If this command produces any output, fix each reported directory /dir using the command:

# chmod +t /dir

When the so-called “sticky bit” is set on a directory, only the owner of a given file may remove that file from the directory. Without the sticky bit, any user with write access to a directory may remove any file in the directory. Setting the sticky bit prevents users from removing each other’s files. In cases where there is no reason for a directory to be world-writable, a better solution is to remove that permission rather than to set the sticky bit.

Next »