On Fri, Apr 28, 2000 at 02:05:46AM +1000, Joe wrote: > Hello all, > > When installing programs with dpkg (and it's various frontends) you get no > warning when a setuid or setgid file is installed. I would consider it > desirable behaviour of dpkg to alert the user who's installing the package > that it contains a setuid or setgid binary, the path of that binary, under > what effective user or group it runs and it's md5 checksum. I think that > this could increase the security of debian systems as it would result in > the person who installs the package being alerted to the fact that it (the > program he/she is installing) may introduce a security problem. Perhaps > an interactive prompt (with an option to override this behaviour on the > command-line) which asks if you would like to continue with the > installation of the package even though it contains a setuid or setgid > program would be appropiate behavior. > > Is there any reason that this hasn't been added to dpkg's code? I don't > think that it would require a change in the format of .deb > packages. Does anyone have any thoughts on this matter? it really does not need to go into dpkg, the proper way to add this is to alter suidmanager to immediatly print out such information when a binary is made suid. all packages should use suidmanager IMO (many already do but there are a few that don't) suidmanager is very nice as it allows the admin to override a suid program, for example i don't need or want /usr/bin/ssh to be suid root so i ran: suidregister /usr/bin/ssh root root 0755 now whenever ssh is upgraded i see a message: suidmanager: OVERRIDE /usr/bin/ssh 0755 or something like that don't remember exactly, but /usr/bin/ssh is never suid now, not for even for a second when its upgraded. this even works for packages that don't use suidmanager, though not as well. every day cron runs suidregister which checks all registered binaries that they match the registered user group and mode, if not it changes there permissions to match the registration. (and mails root if it fails, say because /usr is readonly) another excellant utility is sxid which scans the filesystem every day saving the md5s of all suid binaries along with there permissions and path to a database, comparing with the previous scan and mailing root the differences. this tells me every time a suid binary is upgraded or is permissions changed/removed. unfortunatly sxid appears to have been removed from potato because of one non-reproducable RC bug :( -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpSoSOj4N37g.pgp
Description: PGP signature