LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Linux Advisory Watch: July 1st 2005 Print E-mail
User Rating:      How can I rate this item?
Source: LinuxSecurity.com Contributors - Posted by Benjamin D. Thomas   
Linux Advisory Watch This week, advisories were released for crip, Network Manager, HelixPlayer, gedit, gzip, selinux, gnome, openssh, libwpd, openoffice, openssh, binutils, totem, rgmanager, magma-plugins, iddev, fence, dlm, cman, css, GFS, mod_perl, Heimdal, and sudo. The distributors include Debian, Fedora, Gentoo, and Red Hat.


Internet Productivity Suite: Open Source Security - Trust Internet Productivity Suite's open source architecture to give you the best security and productivity applications available. Collaborating with thousands of developers, Guardian Digital security engineers implement the most technologically advanced ideas and methods into their design.

Linux File & Directory Permissions Mistakes
By: Pax Dickinson

Greetings, gentle reader, and welcome to linuxsecurity.com and our new recurring series of articles on security related mistakes and how to avoid them. I'm your host, Pax Dickinson, and today we'll be reviewing basic Linux file and directory permissions and how to avoid some common pitfalls in their use, in this episode of Hacks From Pax.

One common mistake Linux administrators make is having file and directory permissions that are far too liberal and allow access beyond that which is needed for proper system operations. A full explanation of unix file permissions is beyond the scope of this article, so I'll assume you are familiar with the usage of such tools as chmod, chown, and chgrp. If you'd like a refresher, one is available right here on linuxsecurity.com.

I've witnessed systems administrators whose response to a user complaining about being denied access to a given file is to chmod 777 the file (or entire directory tree) in question. This is an absolutely disastrous security practice, the administrator has just granted write access to the file to any user on the system. Any compromised service will allow an attacker to modify the file, which could result in further access depending on the file in question. For example, an attacker gaining write access to a script that is occasionally run by root can parlay this seemingly minor security hole into full root access for himself.

  • Never make files world-writable. Most files do not need to be world readable either.

  • You can search for world-writable files under your current directory by issuing the following command: find . -perm -2 -print

A related mistake is in the misuse of suid root binaries. These are programs which can be launched by a user but run with all the privileges of root. These programs are needed to perform tasks such as changing a user's password, since that requires a write to the system's password file which normally cannot be modified by anyone but root. A flaw that allows an attacker to gain a shell prompt in such a program can give an attacker root access to the system. These binaries should be carefully limited and must be kept up to date with appropriate security patches to minimize their risk. A common backdoor installed by successful attackers is a copy of /bin/sh set suid root. This can be run by any user on the system, without a password, and will result in full root access.

Read Complete Article:
http://www.linuxsecurity.com/content/view/119415/49/

 

LinuxSecurity.com Feature Extras:

Getting to Know Linux Security: File Permissions - Welcome to the first tutorial in the 'Getting to Know Linux Security' series. The topic explored is Linux file permissions. It offers an easy to follow explanation of how to read permissions, and how to set them using chmod. This guide is intended for users new to Linux security, therefore very simple. If the feedback is good, I'll consider creating more complex guides for advanced users. Please let us know what you think and how these can be improved.

The Tao of Network Security Monitoring: Beyond Intrusion Detection - To be honest, this was one of the best books that I've read on network security. Others books often dive so deeply into technical discussions, they fail to provide any relevance to network engineers/administrators working in a corporate environment. Budgets, deadlines, and flexibility are issues that we must all address. The Tao of Network Security Monitoring is presented in such a way that all of these are still relevant.

Encrypting Shell Scripts - Do you have scripts that contain sensitive information like passwords and you pretty much depend on file permissions to keep it secure? If so, then that type of security is good provided you keep your system secure and some user doesn't have a "ps -ef" loop running in an attempt to capture that sensitive info (though some applications mask passwords in "ps" output).

 

Take advantage of our Linux Security discussion list! This mailing list is for general security-related questions and comments. To subscribe send an e-mail to security-discuss-request@linuxsecurity.com with "subscribe" as the subject.

Thank you for reading the LinuxSecurity.com weekly security newsletter. The purpose of this document is to provide our readers with a quick summary of each week's most relevant Linux security headline.


   Debian
  Debian: New crip packages fix insecure temporary files
  30th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119456
 
   Fedora
  Fedora Core 4 Update: NetworkManager-0.4-18.FC4
  24th, June, 2005

This update to NetworkManager includes a number of enhancements.

http://www.linuxsecurity.com/content/view/119413
 
  Fedora Core 3 Update: kernel-2.6.11-1.35_FC3
  24th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119414
 
  Fedora Core 4 Update: HelixPlayer-1.0.5-1.fc4.2
  27th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119417
 
  Fedora Core 3 Update: HelixPlayer-1.0.5-0.fc3.2
  27th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119418
 
  Fedora Core 3 Update: gedit-2.8.1-2.fc3.1
  27th, June, 2005

An updated gedit package that fixes a file name format string vulnerability is now available.

http://www.linuxsecurity.com/content/view/119419
 
  Fedora Core 4 Update: gedit-2.10.2-4
  27th, June, 2005

An updated gedit package that fixes a file name format string vulnerability is now available.

http://www.linuxsecurity.com/content/view/119420
 
  Fedora Core 3 Update: gzip-1.3.3-15.fc3
  27th, June, 2005

In this gzip update there are fixed three small security problems.

http://www.linuxsecurity.com/content/view/119423
 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.13
  27th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119424
 
  Fedora Core 4 Update: gnome-panel-2.10.1-10.1
  28th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119429
 
  Fedora Core 3 Update: openssh-3.9p1-8.0.2
  28th, June, 2005

This is a bug fix update fixing two bugs in ssh client and server code..

http://www.linuxsecurity.com/content/view/119431
 
  Fedora Core 4 Update: libwpd-0.8.2-1.fc4
  29th, June, 2005

Better handle broken wordperfect documents

http://www.linuxsecurity.com/content/view/119437
 
  Fedora Core 4 Update: openoffice.org-1.9.112-1.1.0.fc4
  29th, June, 2005

fix a raft of i18n issues

http://www.linuxsecurity.com/content/view/119438
 
  Fedora Core 3 Update: openssh-3.9p1-8.0.2 (corrected)
  29th, June, 2005

This is a bug fix update fixing two bugs in ssh client and server code.

http://www.linuxsecurity.com/content/view/119439
 
  Fedora Core 3 Update: selinux-policy-targeted-1.17.30-3.15
  29th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119440
 
  Fedora Core 4 Update: selinux-policy-targeted-1.23.18-17
  29th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119441
 
  Fedora Core 3 Update: binutils-2.15.92.0.2-5.1
  29th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119442
 
  Fedora Core 4 Update: binutils-2.15.94.0.2.2-2.1
  29th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119443
 
  Fedora Core 4 Update: totem-1.0.4-1
  29th, June, 2005

Updated package.

http://www.linuxsecurity.com/content/view/119444
 
  Fedora Core 4 Update: rgmanager-1.9.34-5
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119445
 
  Fedora Core 4 Update: magma-plugins-1.0.0-2
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119446
 
  Fedora Core 4 Update: iddev-2.0.0-1
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119447
 
  Fedora Core 4 Update: magma-1.0.0-1
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119448
 
  Fedora Core 4 Update: gulm-1.0.0-2
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119449
 
  Fedora Core 4 Update: fence-1.32.1-1
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119450
 
  Fedora Core 4 Update: dlm-1.0.0-3
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119451
 
  Fedora Core 4 Update: cman-1.0.0-1
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119452
 
  Fedora Core 4 Update: ccs-1.0.0-1
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119453
 
  Fedora Core 4 Update: GFS-6.1.0-3
  29th, June, 2005

Updated upstream sources.

http://www.linuxsecurity.com/content/view/119454
 
  Fedora Core 4 Update: mod_perl-2.0.1-1.fc4
  29th, June, 2005

So FC4 will no longer depend on a pre-release...

http://www.linuxsecurity.com/content/view/119455
 
   Gentoo
  Gentoo: Clam AntiVirus Denial of Service vulnerability
  27th, June, 2005

Clam AntiVirus is vulnerable to a Denial of Service attack when processing certain Quantum archives.

http://www.linuxsecurity.com/content/view/119421
 
  Gentoo: Heimdal Buffer overflow vulnerabilities
  29th, June, 2005

Multiple buffer overflow vulnerabilities in Heimdal's telnetd server could allow the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/119434
 
   Red Hat
  RedHat: Moderate: sudo security update
  29th, June, 2005

An updated sudo package is available that fixes a race condition in sudo's pathname validation. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/119436
 

Only registered users can write comments.
Please login or register.

Powered by AkoComment!

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Canadians arrest a Heartbleed hacker
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.