JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services     Oracle Solaris 10 1/13 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

Using UNIX Permissions to Protect Files

Commands for Viewing and Securing Files

File and Directory Ownership

UNIX File Permissions

Special File Permissions (setuid, setgid and Sticky Bit)

setuid Permission

setgid Permission

Sticky Bit

Default umask Value

File Permission Modes

Using Access Control Lists to Protect UFS Files

ACL Entries for UFS Files

ACL Entries for UFS Directories

Commands for Administering UFS ACLs

Preventing Executable Files From Compromising Security

Protecting Files (Task Map)

Protecting Files With UNIX Permissions (Task Map)

How to Display File Information

How to Change the Owner of a Local File

How to Change Group Ownership of a File

How to Change File Permissions in Symbolic Mode

How to Change File Permissions in Absolute Mode

How to Change Special File Permissions in Absolute Mode

Protecting UFS Files With ACLs (Task Map)

How to Check if a File Has an ACL

How to Add ACL Entries to a File

How to Copy an ACL

How to Change ACL Entries on a File

How to Delete ACL Entries From a File

How to Display ACL Entries for a File

Protecting Against Programs With Security Risk (Task Map)

How to Find Files With Special File Permissions

How to Disable Programs From Using Executable Stacks

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

18.  Using SASL

19.  Using Secure Shell (Tasks)

20.  Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Oracle Solaris Auditing (Tasks)

31.  Oracle Solaris Auditing (Reference)

Glossary

Index

Protecting Against Programs With Security Risk (Task Map)

The following task map points to procedures that find risky executables on the system, and that prevent programs from exploiting an executable stack.

Task
Description
For Instructions
Find files with special permissions
Locates files with the setuid bit set, but that are not owned by the root user.
Prevent executable stack from overflowing
Prevents programs from exploiting an executable stack.
Prevent logging of executable stack messages
Turns off logging of executable stack messages.

How to Find Files With Special File Permissions

You should monitor your system for any unauthorized use of the setuid and setgid permissions on programs. The setuid and setgid permissions enable ordinary users to gain superuser capabilities. A suspicious executable file grants ownership to a user rather than to root or bin.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

  2. Find files with setuid permissions by using the find command.
    # find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    find directory

    Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.

    -user root

    Displays files owned only by root.

    -perm -4000

    Displays files only with permissions set to 4000.

    -exec ls -ldb

    Displays the output of the find command in ls -ldb format.

    /tmp/filename

    Is the file that contains the results of the find command.

  3. Display the results in /tmp/filename.
    # more /tmp/filename

    For background information on setuid permissions, see setuid Permission.

Example 6-12 Finding Files With setuid Permissions

The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/sh program runs with root permissions.

This output was saved for future reference by moving the /var/tmp/chkprm directory to the /export/sysreports/ckprm directory.

# find / -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm
# cat /var/tmp/ckprm
-r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at
-r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab
---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct
-r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir
-r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin
-r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched
---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh
-r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df
-rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp
-r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd
-r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su
# mv /var/tmp/ckprm /export/sysreports/ckprm

How to Disable Programs From Using Executable Stacks

For a description of the security risks of executable stacks, see Preventing Executable Files From Compromising Security.

  1. Assume the Primary Administrator role, or become superuser.

    The Primary Administrator role includes the Primary Administrator profile. To create the role and assign the role to a user, see Chapter 2, Working With the Solaris Management Console (Tasks), in Oracle Solaris Administration: Basic Administration.

  2. Edit the /etc/system file, and add the following line:
    set noexec_user_stack=1
  3. Reboot the system.
    # init 6

Example 6-13 Disabling the Logging of Executable Stack Messages

In this example, the logging of executable stack messages is disabled, and then the system is rebooted.

# cat /etc/system
set noexec_user_stack=1
set noexec_user_stack_log=0
# init 6