1 2 This file contains a list of most of the security warnings that you 3might see while using the COPS system. Not included here are messages 4that you may receive from the Kuang system and the ftp checker. For 5help on using those tools, read the appropriate documentation on each 6of those ("kuang.doc" and "ftp.1".) 7 8 First, I'll define some arbitrary terms which I'll use when describing 9any problems you may encounter, then I'll list the messages, what they may 10mean, and how you can change your system to eliminate any danger posed. 11Some almost identical warnings were eliminated from the list; however 12most warnings should have an analogous entry that is very close syntactically 13to it in this file. All messages in COPS are prepended by "Warning!"; 14this has been excluded here for brevity. 15 16 There may be more than one way to overcome any problem listed here. If 17you are unsure about whether to change a problem, try looking at some of 18the references listed at the end of the technical report (cops.report) for 19more information on how an attacker may compromise your system. Some of 20the more dangerous security holes include writable directories and key files 21(such as /etc/passwd), root owned SUID files writable to world or that give 22a root shell, null passwords, and writable files that are executed by root. 23They are more or less aranged in like groups (all the writable files/dirs/ 24whatever in one part, etc.) 25 26 Don't take everything that COPS says as gospel! What may be a serious 27security hole on one machine may not be on your own, and vice-versa. 28However, the more you value the information on your machine, the more you 29should be concerned about security. 30 31 Some terms I'll use: 32xyz -- An arbitrary number. Usually a line number in a file. 33foo_file -- stands for a file you might see in your warning message. 34foo_file2 -- Same as "foo_file", stands for a different file than the 35 first (used when two filenames are needed in one message.) 36foo_dir -- a typical directory. 37Group file -- /etc/group or the yellow pages group. If the warning starts 38 with "Group", it is the former, "YGroup" is the latter. 39foo_group -- either /etc/group or ygroup. 40Password file -- /etc/passwd or the yellow pages password. If the warning 41 starts with "Password", it is the former, "YPassword" refers 42 to the latter. 43foo_pass -- either /etc/passwd or ypasswd. 44cron_file -- will be either /usr/cron or 45 /usr/spool/cron/crontabs/foo_file. 46foo -- anything that doesn't fit above. Usually an arbitrary 47 name, or group name, or whatever. 48bar -- As "foo", if more than one name is needed in one message. 49foo_bar -- As "foo", if more than two names are needed in one message. 50 51 52 WARNING MESSAGES 53 ----------------- 54 550) 56foo_file is _World_ writable! 57foo_file is group readable! 58 59 This simply means that a file is world writable; e.g. Anyone can modify 60or delete this file. This can be especially bad if the file can (even 61indirectly) give root access, such as the system password file, "/etc/passwd". 62 To fix, type: 63 chmod a-w foo_file 64This removes write access for group "all/world". 65 661) 67foo_file (in cron_file) is World writable!" 68File foo_file (inside root executed file foo_file2) is _World_ writable!" 69File foo_file (in /etc/rc*) is _World_ writable!" 70 71 Similar to the above messages, but potentially more serious. Files 72in this group are being used by root, and either being utilized as input, 73output, or for execution. Examine the file they are inside and see how 74it is being used. Files being executed are the most dangerous because 75if they are changed, the new file gets executed with root privileges. Input 76files are next, because changing them can alter what the executing program 77does and cause undesirable side affects. Even output files can be dangerous, 78however, because they may be used as an output or even as a program file 79later on. 80 To fix, either delete the reference to foo_file inside the 81cron/rc*/foo_file2/whatever file, or type: 82 chmod a-w foo_file 83to remove write access for group "all/world". 84 852) 86Directory foo_dir is _World_ writable! 87 88 This simply means that a directory (or it's parent directories) is world 89writable; e.g. Anyone can delete this directory, as well as mess with the 90files and subdirectories inside of it. For instance, if /usr/spool is world 91writable, even if cron is not writable, this is a problem, because the cron 92directory can be replaced and new crontab files put in (which all run with 93root privileges.) As a general rule, if you wish to have a file or 94directory secure, all directories that are parent directories must be secure. 95 To fix, type: 96 chmod a-w foo_dir 97 and/or 98 chmod a-w [foo_dir's parent directory] 99This removes write access for group "all/world". 100 1013) 102Directory foo_dir is _World_ writable and in roots path! 103 104 This is the same as (2), but the directory was found to be in the 105path variable set either in /.login or /.profile. This is a bad thing 106because if it is writable, a trojan horse can be placed there, and 107root will execute the command. See also (23). 108 1094) 110Duplicate Group(s) found in foo_group: 111 112 This means that one or more duplicate group names have been found. 113This is mostly a system accounting problem; when adding or deleting names 114from a group you will have problems. 115 To fix, remove all but one instance of each group in your /etc/group file. 116 1175) 118Group foo_bar has duplicate user(s): 119 120 Similar to (4), a group has the same user listed more than once. If 121all instances of the user is not deleted, they probably will remain with 122their old privileges. 123 To fix, remove all but one instance of a user in each group of your 124/etc/group file. 125 1266) 127Group file, line xyz, non-numeric group id: foo 128 129 Group id's must be numeric. Testing a non-numeric id will give 130unpredictable results. 131 To fix, change the old id to a valid group id. 132 1337) 134Group file, line xyz, is blank 135 136 To fix, remove all blank lines. 137 1388) 139Group file, line xyz, does not have 4 fields: foo 140 141 More trouble. Testing of one or more of the groups will result 142in invalid results, depending which is the missing field(s). 143 To fix, ensure group has four valid fields. 144 1459) 146Group file, line xyz, nonalphanumeric user id: foo 147 148 As (6). 149 To fix, change the old id to a valid group id. 150 15110) 152Group file, line xyz, group has password: foo 153 154 To fix, change the old password to an asterisk ("*"). 155 15611) 157Password Problem: Guessed: foo shell: bar passwd: foo_bar 158 159 If an account has a guessed password, it is susceptible to other password 160guessing programs (the one in COPS is rather crude and slow). Obviously, if 161the password is known, the account is compromised. 162 To fix, either have the user change her/his password or change it yourself. 163 16412) 165Password Problem: null passwd: foo shell: bar 166Password file, line xyz, no password: foo 167 168 If an account has no password, anyone can log into the account at will. 169 To fix, either have the user change her/his password or change it yourself. 170 17113) 172Duplicate uid(s) found in foo_passwd: 173 174 This is a problem, especially if the accounts have different permissions 175or privileges. When the user's account is deleted, one or more accounts may 176remain active. 177 To fix, simply delete all but one occurrence of the users account. 178 17914) 180Password file, line xyz, user foo has uid = 0 and is not root bar 181 182 Ideally, no one but root should have uid = 0. Anyone with uid=0 is 183superuser, for all purposes. Occasionally, a maintenance account has 184uid=0, or perhaps a small group of administrators. Be very careful! 185 To fix, change the uid from 0 to some other valid number. If the 186account or person really needs root privileges, have them su to the root 187account so you can keep track of who is using root. 188 18915) 190Password file, line xyz, nonalphanumeric login: foo 191 192 Another maintenance problem. Someone's been messing with the password 193file, or you have some bugs in your software that fools around with it. 194 To fix, delete or change the login to a valid login. 195 19616) 197Password file, line xyz, invalid login directory: foo 198User foo's home directory bar is not a directory! 199 200 A user has a non-existent or invalid login directory listed in the password 201file. Sometimes these are maintenance accounts, but it is discouraged. 202Examine the account to see if it should really exist. 203 To fix, either delete the account or put in a valid login directory. 204 20517) 206Password file, line xyz, nonnumeric group id: foo 207Password file, line xyz, nonnumeric user id: foo 208 209 A user has a invalid user or group id. Dangerous if, when checked, it 210translates to invalid number (who knows what would happen), or worse yet, 0. 211 To fix, change the field to a legal, numeric value. 212 21318) 214Password file, line xyz, negative user id: foo 215 216 A user id is negative. This is most common with user name "nobody", 217and with an id of "-2". This can be dangerous, especially if you are running 218a Sun, with 4.xx SunOS. It is uncertain if it is dangerous for other 219versions or machines. Changing it to 32767 is the usual course of action. 220 22119) 222Password file, line xyz, does not have 7 fields: foo 223 224 Dangerous, because when a program checks for a field value it will come 225up with who knows what. 226 To fix, ensure all fields have legal values. 227 22820) 229Password file, line xyz, is blank 230 231 To fix, delete all blank lines. This can be very bad, because a blank 232line can give a uid=0 account with no password. 233 23421) 235NFS file system foo exported with no restrictions. 236 237 Anyone can mount the file system. May or may not be a problem, but 238look over closely, if you value ANY of the info on it! 239 To fix, put in a valid list of hosts that may mount it. 240 24122) 242Root's umask set to xyz 243 244 If root's umask is set incorrectly, any files that it creates will be 245have bad permissions (e.g. world writable if 000, x00, or xy0). 246 To fix, put a "safe" value; 077 or whatever. 247 24823) 249"." (or current directory) is in roots path! 250 251 Trojan horses traditionally play upon having the current directory in 252a users path. A bad user will put a trojan horse with a the same name as 253a common system command ("ls" is a favorite) and place it in a location that 254s/he thinks might be executed. When the trojan horse is executed, it will 255not only execute the command, but will also either steal your account 256privileges or have your account perform some action that they desire. 257 25824) 259A "+" entry in foo_file! 260 261 Host.equiv files specify which machines are equivalent; e.g., user foo on 262another machine listed in your hosts.equiv can log in as user foo onto your 263machine. A "+" means your machine trusts everyone (I trust no one :-)), which 264is usually not desired, at least in these troubled times. Sun, in it's 265infinite stupidity, makes this the default on all of it's machines. 266 267 To fix, either remove the "+", put in your own list of trusted machines, 268or delete the file. 269 27025) 271rexd is enabled in foo_file! 272 273 This can allow commands to be excecuted remotely. (foo_file is usually 274/etc/inetd.conf, of course.) 275 276 To fix, comment it out of foo_file (put a "#" sign in front of the line.) 277 27825) 279User foo's home directory foo_dir is mode xyz! 280 281 If a user's home directory is writable, you have the same problems as (3), 282except all of the user's files are in jeopardy this time. 283 284 To fix, type: 285 chmod a-w foo_dir 286 28726) 288User foo: .bar is mode xyz! 289 290 In this case, ".bar" stands for one of the user's initialization files, 291such as .login, .profile, .exrc, ect. If the user's file is world writable, 292then anyone can modify that file, and whenever the user logs in or executes 293a command (such as "vi", when referring to ".exrc"), they will execute 294whatever commands the bad girl/boy wants them to. 295 296 To fix, type: 297 chmod a-w foo_file 298 29927) 300tftp is enabled on foo_host! 301 302 This means that people can steal your password file remotely, and run 303a password cracking program on it. Bad news, unless you _really_ have great 304password security, or you're running shadowpasswords. But even then, they 305can still steal any world readable file on your system. 306 307 To fix, comment out (put a pound sign ("#") in the front of the line) 308tftp -- usually a line in your /etc/inetd.conf file. 309 31028) 311uudecode is enabled in foofile! 312 313 If the decode mail alias is a valid mail address, people can mail to it, 314and create files on your system. If the uudecode is SUID root, or something 315equally insane, it can overwrite any file. 316 317 To fix, comment out the alias in your (usually /usr/lib/alias) mail alias 318file. 319 32029) 321uudecode creates setuid files! 322 323 A common problem, it seems. Uudecode should not create any kind of 324special files; if combined with (30), you can create hidden SUID files, 325perfect for an attacker. If combined with (28), then it can be an even 326worse remote attack. 327 32830) 329uudecode is suid! 330 331 Worse and worse. If this is true, then you can create files that are 332owned by whomever it is SUID to. 333 334 To fix, just make it non-suid. If it has to be suid for some unknown 335reason, make it SUID to user nobody, or guest, or something relatively 336inoccuous, even though it won't be. 337 33831) 339ROOT owned SUID file foo_file is type: foo_type! 340 341 No root owned SUID file should be anything other than an executable 342binary; however, since this test depends on the "file" command, it may get 343confused, especially when using NFS, since, for example, a Sun won't recognize 344a MIPS executable binary as such. In any case, examine all SUID root files 345*very* carefully. And under *no* circumstance should it be a shell script. 346No, no, no. 347 34832) 349User: foo SUID file is type: foo_type! 350 351 As (31), but possibly less severe. 352 35333) 354foo should be in /etc/ftpusers! 355/etc/ftpusers should exist! 356 357 Problems 33-42 deal with ftp and anonymous ftp setup. All system 358accounts (root, bin, etc.) should be in /etc/ftpusers, to prevent them 359from using ftp. 360 36134) 362Need user foo for anonymous ftp to work! 363 364 ("foo" usually means "ftp", BTW.) For anonymous ftp to work, it 365needs this login to exist in the password file. 366 To fix, remove all but one instance of a user in each group of your 367 36835) 369Home directory for ftp doesn't exist! 370ftp's home directory should not be "/"! 371 372 The home directory for ftp, found in the password file, should exist 373and should *not* be "/". Make it some innocuous place on the file 374system where you can keep an eye on things and dump/store stuff without 375causing any damage. 376 37736) 378~ftp/etc/passwd and /etc/passwd are the same! 379~ftp/etc/group and /etc/group are the same! 380 381 Login names, passwords, and such should be kept hidden from the 382average anonymous ftp browser. Do *not* put your password/group 383files in the ~ftp/etc directory; if you must have the actual user 384names in the file, then at least star out (put an asterix ("*") in 385place of the encrypted password) the password entry. 386 38737) 388File foo_file is missing (anon-ftp setup)! 389 390 Some critical file is missing, such as the password or group file. 391On some versions of ftpd, this is not a problem, and on others, it 392will simply not work. 393 39438) 395foo_file should be owned by foo_user or bar_user! 396 397 If key files and/or directories are owned by the wrong user, then 398trouble can happen. For instance, if ftp's home directory is owned 399and/or writable by ftp, then anonymous ftp users can insert .rhosts 400and .forward files to cause mischief. 401 To fix, chown the files to root. 402 40339) 404~ftp should be mode 555! 405 406 Unless ftp's home directory is owned by root, no one should be 407able to write on this directory (if root owns this, it can be 408mode 755.) 409 41040) 411~ftp/.rhosts should be be empty! 412 413 There is usually no good reason to let user "ftp" trust other sites. 414If any .rhosts file exists, it should be empty. 415 41641) 417Incorrect permissions on foo_file in foo_dir! 418 419 Certain files (the password file, etc.) should be set to be readable 420to all, but writable by root. Other files must be executable, etc. 421This flags any abberations in the setup. 422 42342) 424Anon-ftp directory foo_dir is World Writable! 425 426 If a directory is kept open for an "incoming" upload/downloads, 427it is a good idea to keep the directory unreadable by all, and that it 428should not hold other "trusted" software in that same directory, else 429a normally "safe" program could be overwritten with a trap door, 430virus, whatever. 431 432