[clue-tech] File permission anomalies under FC3
bof
bof at pcisys.net
Tue Jun 14 07:06:24 MDT 2005
Hello,
I've just installed Krud FC3 and in examining it, I've found a large
number of files that strike me as security holes: some are
world-writable, some have numbers for owner/groups and some have SUID
bits set. For example:
world-writable files
-rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/gnotski.1.scores
-rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/gnibbles.4.1.scores
-rw-rw-r-- 1 20 0 Oct 19 2004
/var/lib/games/gnobots2.robots2_easy-super-safe.scores
world-writable directories
drwxrwxr-x 5 jlkottal 4096 May 26 10:54 /home/jlkottal/.evolution
drwxrwxr-x 2 man 4096 Nov 19 2004 /var/cache/man/X11R6/cat3
numbers for owner/group
-rw-rw-r-- 1 root 966 Dec 20 11:03 /usr/share/nagios/images/delay.gif
-rw-rw-r-- 1 root 1085 Dec 20 11:03 /usr/share/nagios/images/logrotate.png
-rw-rw-r-- 1 root 5519 Dec 20 11:03 /usr/share/nagios/images/redundancy.png
-rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/mahjongg.pyramid.scores
-rw-rw-r-- 1 20 0 Oct 19 2004
/var/lib/games/gnobots2.robots2-super-safe.scores
-rw-rw-r-- 1 20 0 Oct 19 2004 /var/lib/games/gnomine.Small.scores
SUID bits set
-r-xr-s--x 1 root 20 70408 Oct 19 2004 /usr/bin/mahjongg
-rwxr-sr-x 1 root nobody 64920 Mar 15 12:11 /usr/bin/ssh-agent
-r-xr-s--x 1 root 20 41264 Oct 19 2004 /usr/bin/glines
Are files like these in fact security holes? If so, what would be the
best way of eliminating them?
Please note that I am not picking on KRUD FC3: similar problems also
occur under FC1/FC2 and,IIRC (as it has been some time since I looked at
them), Slackware and FreeBSD.
BOF
More information about the clue-tech
mailing list