Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 59431

Summary: Way too many SUID root programs
Product: Gentoo Security Reporter: Daniel <d_lord>
Component: MiscAssignee: Gentoo Security <security>
Severity: enhancement    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Package list:
Runtime testing required: ---

Description Daniel 2004-08-04 11:37:52 UTC
Per default there are too much binaries with set SUID root bit. Would be nice to have a choice (USE="-suidroot"). The other and IMHO better Option would be to disable SUID root per default and only let the User enable it.
Maybe su or sudo should be left SUID root.

mount -o nosuid may also be an option. Als a seperate partition with suid root binaries would be a great improvement

Reproducible: Always
Steps to Reproduce:
1. find / -perm -4000 > suid.root

Actual Results:  
You get a long list of suid root programms such as xterm!(?) ping etc.

Expected Results:  
Only su or sudo should be setuid root per default.

Portage 2.0.50-r9 (default-x86-2004.2, gcc-3.3.3, glibc-,
System uname: 2.4.25_pre7-gss-r8 i686 AMD Athlon(tm) MP 1500+
Gentoo Base System version 1.4.16
distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
Autoconf: sys-devel/autoconf-2.59-r4
Automake: sys-devel/automake-1.8.3
CFLAGS="-s -Os -march=athlon-mp -mcpu=athlon-mp -pipe -mmmx -msse -m3dnow
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config
/usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-s -Os -march=athlon-mp -mcpu=athlon-mp -pipe -mmmx -msse -m3dnow
FEATURES="autoaddcvs buildpkg ccache distcc fixpackages sandbox"
USE="3dnow X aalib alsa apm avi berkdb bonobo bttv cdr crypt cups db dvd
dvdr encode f77 foomatic foomaticdb gdbm gif gimp gimpprint gmp gnome gpm gtk
gtk2 gtkhtml guile imap imlib java jpeg lame ldap lesstif libg++ libwww lirc mad
mbox mikmod mmx mng motif mozilla mp3 mpeg ncurses nls odbc ogg oggvorbis oss
pam pdf pdflib perl png ppds ps python quicktime readline ruby samba sane sasl
scanner sdl slang slp spell sse ssl svcd svga tcltk tcpd tetex tiff truetype v4l
vanilla vcd video_cards_rage128 vim wmf x86 xml2 xmms xv zlib"
Comment 1 Tobias Klausmann gentoo-dev 2004-08-04 12:23:35 UTC
With that find command you'll find not only programs which are suid to some other user than root (which is still bad, but nearly as much as UID 0) and dirctories which have the sticky bit. Calling the latter a security issue by default is a bit harsh, IMO.

Oh, and there are programs which enhance security by being suid root. gpg for example.
Comment 2 Daniel 2004-08-04 13:08:26 UTC
Ok, you may add a -type f to the find command. And yes it may be a good idea to let gpg be set suid root. But why not let the user decide? Or just drop a note while emerging?
Comment 3 Tobias Klausmann gentoo-dev 2004-08-04 13:27:25 UTC
Thos notes tend to get lost. While there is no accepted mechanism to make sure all einfos are read... I don't know, I'd feel uneasy both ways.
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2004-08-04 13:47:17 UTC
There is nothing that the Security Team can do to solve that problem as a whole. Some (most) of the programs that have the root SUID set need it. You will break them if you don't have it. So it's a reasonable default to have it set for these packages, and you still have the option of removing it (and break the corresponding packages).

If you identify a specific package that has unnecessary root SUID programs, please file a bug for that package (component = Ebuilds) specifically, that way you will be able to convince the package maintainer that this is superfluous.

If you want a global "suidroot" USE flag and want to have every ebuild conform to it, you should bring up a discussion on the gentoo-dev mailing-list and try to convince Gentoo Developers that it is a good idea. Because if it's not accepted by all or part of Gentoo ebuild policy, some ebuilds will not respect it and it won't be useful.
Comment 5 solar (RETIRED) gentoo-dev 2004-08-04 14:14:46 UTC
There is an undocumented feature called suidctl which will remove the sbit from every app at install time unless it's in the allowed list which is defined in /etc/portage/suidctl.conf

mkdir -p /etc/portage
echo '#' >> /etc/portage/suidctl.conf
FEATURES=suidctl emerge beep ; # for example

>>> Preforming suid scan in /var/tmp/portage-pkg/beep-1.2.2/bin
>>> Removing sbit on non registered /usr/bin/beep
>>> Appending commented out entry to /etc/portage/suidctl.conf for beep-1.2.2

ls -l `which beep`
-rwx--x--x  1 root root 10048 Aug  4 17:10 /usr/bin/beep

That should give you the fine grained control your looking for.
Comment 6 Daniel 2004-08-04 16:11:15 UTC
Thanks, thats exactly what I'm looking for.