Protecting Against Programs With Security Risk (Task Map)
The following task map points to procedures that find risky executables on the
system, and that prevent programs from exploiting an executable stack.
How to Find Files With Special File Permissions
You should monitor your system for any unauthorized use of the setuid
and setgid permissions on programs. The setuid and setgid permissions enable ordinary users
to gain superuser capabilities. A suspicious executable file grants ownership to a user
rather than to root or bin.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Find files with setuid permissions by using the find command.
# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
- find directory
Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
- -user root
Displays files owned only by root.
- -perm -4000
Displays files only with permissions set to 4000.
- -exec ls -ldb
Displays the output of the find command in ls -ldb format.
- >/tmp/filename
Is the file that contains the results of the find command.
- Display the results in /tmp/filename.
# more /tmp/filename
For background information on setuid permissions, see setuid Permission.
Example 7-12 Finding Files With setuid Permissions
The output from the following example shows that a user named rar
has made a personal copy of /usr/bin/sh, and has set the permissions as setuid
to root. As a result, the /usr/rar/bin/sh program runs with root permissions.
This output was saved for future reference by moving the file out
of the /tmp directory.
# find / -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
# mv /var/tmp/ckprm /export/sysreports/ckprm
How to Disable Programs From Using Executable Stacks
For a description of the security risks of executable stacks, see Preventing Executable Files From Compromising Security.
- Assume the Primary Administrator role, or become superuser.
The Primary Administrator role includes the Primary Administrator profile. To create the role
and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
- Edit the /etc/system file, and add the following line:
set noexec_user_stack=1
- Reboot the system.
# init 6
Example 7-13 Disabling the Logging of Executable Stack Messages
In this example, the logging of executable stack messages is disabled, and then
the system is rebooted.
# cat /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=0
# init 6