Full Disclosure mailing list archives
Partial Solution to SUID Problems
From: Todd Burroughs <todd () hostopia com>
Date: Thu, 4 Dec 2003 03:51:42 -0500 (EST)
Several exploits rely on being able to create suid programs or to execute these programs (maybe installed by an old patch, etc.) I have an idea to reduce this problem. Basically, you mount everything "nosuid", except for one filesystem. This filesystem is obviously only writeable by root, it gets rid of the linking problem discussed last week. I make a small partition and mount everything else "nosuid". I put anything that needs suid or sgid on that filesystem and make symlinks to where it should be. This makes is easy to find SUID programs, run mount and make sure things are mounted nosuid, then look at your "suid partition". So, does this make sense? It seems to make it easier and more controlled when you patch or add suid binaries. I would love to see us start to use something like this on *NIX systems. Todd Burroughs --- The Internet has given us unprecedented opportunity to communicate and share on a global scale without borders; fight to keep it that way. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Partial Solution to SUID Problems Todd Burroughs (Dec 04)
- Re: Partial Solution to SUID Problems Gino Thomas (Dec 04)
- new dos attack? Geo. (Dec 04)
- Re: new dos attack? Jonathan A. Zdziarski (Dec 04)
- Re: Partial Solution to SUID Problems Ciro (Dec 05)
- Re: Partial Solution to SUID Problems Vladimir Parkhaev (Dec 05)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Henning Brauer (Dec 06)
- Re: Partial Solution to SUID Problems Todd Burroughs (Dec 06)
- Re: Partial Solution to SUID Problems Michal Zalewski (Dec 06)
- Re: Partial Solution to SUID Problems Valdis . Kletnieks (Dec 06)
- new dos attack? Geo. (Dec 04)
- Re: Partial Solution to SUID Problems Gino Thomas (Dec 04)