Building your firewall, Part 2

By Carole Fennelly, Unix Insider |  Security

Sep 27 09:32:53 firebox unix: NOTICE: sendmail, uid 0: setuid execution not
allowed, dev=1

I get the following output when I run the same test as a nonprivileged user. Note that I am unable to queue the mail message and unable to create files in /tmp through the sendmail program, although I am able to do so through the standard shell:

$/tmp/sendmail -d fennelly < /dev/null > /tmp/out
ksh: /tmp/out: cannot create
$/tmp/sendmail -d fennelly < /dev/null > /home/fennelly/out
$ more /tmp/fennelly/out
Non-setuid binary: RunAsUid = RealUid = 1002
.
.
.
drop_privileges(0): Real[UG]id=1002:10, RunAs[UG]id=1002:10

Output from /var/adm/messages:

Sep 27 09:46:18 firebox unix: NOTICE: sendmail, uid 1002: setuid execution
not allowed, dev=1

Sep 27 09:47:18 firebox sendmail[328]: NOQUEUE: SYSERR(fennelly): queuename:
Cannot create "qfJAA00328" in "/var/spool/mqueue" (euid=1002): Permission
denied

The following shows that I can create files in /tmp as a nonprivileged user:

$ cat /etc/hosts > /tmp/hosts
$ 

Aside from the lack of documentation of that feature, pre-Solaris 7 systems also have a bug in the /etc/mnttab entry. As far as I can see, it does not affect the operation:

$ /usr/sbin/mount
.
.
/export/home on /dev/dsk/c0t1d0s0 setuid/read/write/largefiles on Mon Sep 27
09:00:00 1999
/tmp on swap @ on Mon Sep 27 09:26:15 1999

$ grep tmp /etc/mnttab
swap    /tmp    tmpfs   @,dev=1 938438775

For other filesystems, I use the following mount options:

/usr read only, nosuid
/opt read write, nosuid
/var read write, nosuid

If you need to have optional packages such as sudo to be suid, you can make a separate filesystem just for these.

Strip down the OS

Follow the guidelines in the Solaris Security FAQ for stripping out unnecessary services and binaries. There is more to remove if you install the developer system support.

Prevent TCP sequence prediction attacks

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question