Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Security Services Oracle Solaris 11 Express 11/10 |
1. Security Services (Overview)
Part II System, File, and Device Security
2. Managing Machine Security (Overview)
3. Controlling Access to Systems (Tasks)
4. Virus Scanning Service (Tasks)
5. Controlling Access to Devices (Tasks)
6. Using the Basic Audit Reporting Tool (Tasks)
7. Controlling Access to Files (Tasks)
Using UNIX Permissions to Protect Files
Commands for Viewing and Securing Files
Special File Permissions (setuid, setgid and Sticky Bit)
Using Access Control Lists to Protect UFS Files
Preventing Executable Files From Compromising Security
Protecting Files With UNIX Permissions (Task Map)
How to Display File Information
How to Change the Owner of a File
How to Change Group Ownership of a File
How to Change File Permissions in Symbolic Mode
How to Change File Permissions in Absolute Mode
How to Change Special File Permissions in Absolute Mode
Protecting Against Programs With Security Risk (Task Map)
Part III Roles, Rights Profiles, and Privileges
8. Using Roles and Privileges (Overview)
9. Using Role-Based Access Control (Tasks)
10. Role-Based Access Control (Reference)
Part IV Oracle Solaris Cryptographic Services
13. Oracle Solaris Cryptographic Framework (Overview)
14. Oracle Solaris Cryptographic Framework (Tasks)
15. Oracle Solaris Key Management Framework
Part V Authentication Services and Secure Communication
16. Using Authentication Services (Tasks)
19. Using Solaris Secure Shell (Tasks)
20. Solaris Secure Shell (Reference)
21. Introduction to the Kerberos Service
22. Planning for the Kerberos Service
23. Configuring the Kerberos Service (Tasks)
24. Kerberos Error Messages and Troubleshooting
25. Administering Kerberos Principals and Policies (Tasks)
26. Using Kerberos Applications (Tasks)
27. The Kerberos Service (Reference)
Part VII Oracle Solaris Auditing
28. Oracle Solaris Auditing (Overview)
29. Planning for Oracle Solaris Auditing
30. Managing Oracle Solaris Auditing (Tasks)
The following task map points to procedures that find risky executables on the system, and that prevent programs from exploiting an executable stack.
|
You should monitor your system for any unauthorized use of the setuid and setgid permissions on programs. The setuid and setgid permissions enable ordinary users to gain superuser capabilities. A suspicious executable file grants ownership to a user rather than to root or bin.
For more information, see How to Obtain Administrative Rights.
# find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
Checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail.
Displays files owned only by root.
Displays files only with permissions set to 4000.
Displays the output of the find command in ls -ldb format.
Is the file that contains the results of the find command.
# more /tmp/filename
For background information on setuid permissions, see setuid Permission.
Example 7-6 Finding Files With setuid Permissions
The output from the following example shows that a user in a group called rar has made a personal copy of /usr/bin/sh, and has set the permissions as setuid to root. As a result, the /usr/rar/bin/sh program runs with root permissions.
This output was saved for future reference by moving the /var/tmp/chkprm directory to the /export/sysreports/ckprm directory.
# find / -user root -perm -4000 -exec ls -ldb {} \; > /var/tmp/ckprm # cat /var/tmp/ckprm -r-sr-xr-x 1 root bin 38836 Aug 10 16:16 /usr/bin/at -r-sr-xr-x 1 root bin 19812 Aug 10 16:16 /usr/bin/crontab ---s--x--x 1 root sys 46040 Aug 10 15:18 /usr/bin/ct -r-sr-xr-x 1 root sys 12092 Aug 11 01:29 /usr/lib/mv_dir -r-sr-sr-x 1 root bin 33208 Aug 10 15:55 /usr/lib/lpadmin -r-sr-sr-x 1 root bin 38696 Aug 10 15:55 /usr/lib/lpsched ---s--x--- 1 root rar 45376 Aug 18 15:11 /usr/rar/bin/sh -r-sr-xr-x 1 root bin 12524 Aug 11 01:27 /usr/bin/df -rwsr-xr-x 1 root sys 21780 Aug 11 01:27 /usr/bin/newgrp -r-sr-sr-x 1 root sys 23000 Aug 11 01:27 /usr/bin/passwd -r-sr-xr-x 1 root sys 23824 Aug 11 01:27 /usr/bin/su # mv /var/tmp/ckprm /export/sysreports/ckprm
For a description of the security risks of executable stacks, see Preventing Executable Files From Compromising Security.
For more information, see How to Obtain Administrative Rights.
set noexec_user_stack=1
# init 6
Example 7-7 Disabling the Logging of Executable Stack Messages
In this example, the logging of executable stack messages is disabled, and then the system is rebooted.
# cat /etc/system set noexec_user_stack=1 set noexec_user_stack_log=0 # init 6