Not to be fixed
Created: Apr 1, 2015
Updated: Apr 19, 2018
Resolved Date: Apr 17, 2018
Found In Version: 7.0.0.4
Severity: Standard
Applicable for: Wind River Linux 7
Component/s: Userspace
>>>>>>>>>>>>>>>>>>>>
Start 31_test.sh
<<<<<<<<<<<<<<<<<<<<
* Check executables that should be restricted to root
* Check SUID/SGID executable permissions
Only following binaries are allowed to have SUID/SGID:
/bin/su.util-linux /bin/su.shadow /usr/bin/at /usr/bin/chage /usr/bin/chfn.shadow /usr/bin/chsh.shadow /usr/bin/cgexec /usr/bin/expiry /usr/bin/gpasswd /usr/bin/newgrp.shadow /usr/bin/passwd.shadow /usr/bin/sudo /usr/sbin/unix_chkpwd /usr/sbin/vlock-main /usr/lib64/dbus/dbus-daemon-launch-helper /sbin/gradm_pam /usr/bin/crontab /usr/sbin/postdrop /usr/sbin/postqueue
-rwsr-xr-x. 1 root root 63216 Mar 27 02:52 /bin/busybox.suid
-----
fail : The binary /bin/busybox.suid has SUID/SGID, which should NOT be
-----
-rwsr-xr-x. 1 root root 30752 Mar 27 02:28 /bin/umount.util-linux
-----
fail : The binary /bin/umount.util-linux has SUID/SGID, which should NOT be
-----
-rwsr-xr-x. 1 root root 38944 Mar 27 02:28 /bin/mount.util-linux
-----
fail : The binary /bin/mount.util-linux has SUID/SGID, which should NOT be
-----
-r-sr-xr-x. 1 root root 45944 Mar 27 02:52 /bin/ping.iputils
-----
fail : The binary /bin/ping.iputils has SUID/SGID, which should NOT be
-----
-rwsr-xr--. 1 root shutdown 29112 Mar 27 02:52 /sbin/shutdown.sysvinit
-----
fail : The binary /sbin/shutdown.sysvinit has SUID/SGID, which should NOT be
-----
-rwsr-xr--. 1 root shutdown 20880 Mar 27 02:52 /sbin/halt.sysvinit
-----
fail : The binary /sbin/halt.sysvinit has SUID/SGID, which should NOT be
-----
-r-s--x--x. 1 root root 117544 Mar 27 02:51 /sbin/mount.nfs
-----
fail : The binary /sbin/mount.nfs has SUID/SGID, which should NOT be
-----
-r-sr-xr-x. 1 root root 49616 Mar 27 02:52 /usr/bin/ping6.iputils
-----
fail : The binary /usr/bin/ping6.iputils has SUID/SGID, which should NOT be
-----
-r-sr-xr-x. 1 root root 21072 Mar 27 02:52 /usr/bin/traceroute6.iputils
-----
fail : The binary /usr/bin/traceroute6.iputils has SUID/SGID, which should NOT be
-----
-r-sr-xr-x. 1 root root 355032 Mar 27 02:51 /usr/sbin/pppd
-----
fail : The binary /usr/sbin/pppd has SUID/SGID, which should NOT be
-----
-rwsr-xr-x. 1 root root 168264 Mar 27 02:51 /usr/sbin/lsof
-----
fail : The binary /usr/sbin/lsof has SUID/SGID, which should NOT be
-----
1, wrlinux/configure --enable-board=qemux86-64 --enable-kernel=secure --enable-rootfs=secure-platform --enable-bootimage=ext3 --with-init=sysvinit
2, make fs
3, check the permission of following executables: No SUID/SGID is expected
/bin/busybox.suid
/bin/umount.util-linux
/bin/mount.util-linux
/bin/ping.iputils
/sbin/shutdown.sysvinit
/sbin/halt.sysvinit
/sbin/mount.nfs
/usr/bin/ping6.iputils
/usr/bin/traceroute6.iputils
/usr/sbin/pppd
/usr/sbin/lsof
