Fortunately, I could undo my work - just long enough to install the patch and to re-disable sperl. My technique is to create a directory called "off" in each directory that has a set-UID or set-GID program that I wish to disable. I create the "off" directory to be owned by root mode 700. Then, I just move the affected programs into their respective "off" directories. For example, one could do the following as root:
chmod 700 off
mv rcp rsh rlogin sperl5.6.1 other stuff off/.
Forget about telnet and non-anonymous FTP too. Use ssh, scp, and sftp instead.
A Notable Exception
A notable exception is the list of programs that you will need but which should not be set-UID. The mount and umount programs constitute this list. They only need to be set-UID if you want to allow ordinary users to mount and unmount file systems. Not you? Good. Secure them by doing:
chmod 755 /bin/mount /bin/umount
Do Not Run Your Daemons As Root To Run Off Hackers
The only reason why most network daemons need to run as root is to open the well-known port for listening when the port number is less than 1024. Some daemons, such as Apache and named (DNS) can be configured so that once they open that port and do a little housekeeping, they will switch to run as a non-privileged user. Absolutely take advantage of this feature. Apache usually is set up to do this by default. Verify this by running the following command and verify that only one of the Apache daemons, the one whose PPID is 1, is running as root:
ps axl | grep httpd
The named program should be invoked with the -u flag to cause it to switch to run as an unprivileged user after opening its well-known port of 53 under both TCP and UDP. Even better would be to also use its -t flag to put it in a chroot jail. Many Distros now do this. Note that only an organization's DNS servers need to run named. Desktop and laptop systems usually should not run named. Note too that chroot jails cannot contain root processes since they can chew through the bars.
Good Security Is Like Good Health
To improve your health, stop smoking, eat a balanced diet, and lose weight. Following that advice alone will greatly improve your health. Likewise, taking the advice in this article will improve your system's security health substantially.
As with health, for those who want to improve their security more, there is no limit as to how far one can go. How far one should go depends on how important it is to not be broken into. For those that want to do more, please see my book:
"Real World Linux Security: Intrusion Detection, Prevention, and Recovery" 2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562. Also available in Japanese, Chinese, Czech, and Polish.
Bob Toxen (interview) has 30 years of UNIX and 10 years of Linux experience, helped create Berkeley UNIX and ported UNIX to the Silicon Graphics workstation.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.