Set user ID (setuid) programs are among the most frequently used programs at a UNIX site. A process that invokes a setuid program automatically acquires the identity of the owner of the setuid program. If the owner of a setuid program is root, then any user automatically becomes a superuser by invoking the setuid program. When the setuid program starts, the process performs any task which a superuser has permission for. Ensure that the setuid programs perform only the required task. Back doors or shells within a setuid program grant the user access to everything on the system.
CA ControlMinder uses the PROGRAM class to protect setuid and setgid programs. Upon installation, CA ControlMinder permits any program execution by default. After defining trusted programs in the database, you can change the behavior of CA ControlMinder so that execution of a setuid or setgid program is prohibited unless the program is defined as a trusted program. For example, to allow /bin/ps (the process status program) to run as a setgid program (as it is supposed to), use the following selang command:
newres PROGRAM /bin/ps defaccess(EXEC)
CA ControlMinder registers the program /bin/ps as a trusted program. It then calculates and stores its CRC, inode number, size, device number, owner, group, permission bits, last modification time, and, optionally, other digital signatures in a record in the PROGRAM class of the database.
The Watchdog periodically checks the program's CRC, size, inode, and the rest of the characteristics. If any of these values have changed, the Watchdog automatically asks seosd to remove the program from the trusted programs list and deny access to it. This ensures that no one can misuse the program by modifying or moving setuid programs. Note that the permission in the example newres command allows all users, including those not defined in the database, to run the /bin/ps command.
Untrusted setuid programs are possibly the most dangerous security loophole of UNIX‑based operating systems. By using trusted programs' access rules, the security administrator can restrict the use of setuid to certain trusted programs that were tested and checked to ensure their integrity. However, any user cannot automatically start a trusted executable; the access rule must specify explicit users and groups that are granted access to that setuid program. For example, the following set of selang commands grants the execution of /bin/su only to the System Department users (group sysdept):
newres PROGRAM /bin/su defaccess(NONE) authorize PROGRAM /bin/su gid(sysdept) access (EXEC)
Use an asterisk (*) to specify all users who are defined in the database. For example, to permit all users who are defined to CA ControlMinder to perform the su command, enter the following command:
authorize PROGRAM /bin/su uid(*) access(EXEC)
This description is also true for setgid executables.
You can use the nr and er commands to register the setuid and setgid programs in the PROGRAM class. Important non setuid and setgid programs can be registered in the PROGRAM class similarly. Define a FILE rule for these programs to prevent unauthorized users from upgrading them. If you want to allow the program execution when it is untrusted (after upgrade, the program is executed without being retrusted), set the blockrun property to no.
To set the value of the blockrun property to yes, use the following editres/newres command:
er program /bin/p blockrun
To set the value of the blockrun property to no, use the following editres/newres command:
er program /bin/p blockrun-
By default, for all the programs registered in the PROGRAM class, the blockrun property is set to yes. You can change this using the SetBlockRun token in the seos.ini file. Refer to the seos.ini file description for details.
Note: CA ControlMinder uses the PROGRAM class and not the FILE class to protect setuid and setgid programs.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|