Linux Security - Is it Ready For The Average User?
by Bob Toxen - Originally published in issue 1 of (IN)SECURE Magazine - Monday, 1 August 2005.
Then, disable those that are not needed. They probably will include /usr/bin/rcp, /usr/bin/rsh, /usr/bin/rlogin, and /usr/bin/sperl5.6.1. The problem with simply removing them or even just doing a chmod on them is that you may want to undo your work later, even if you absolutely never will need them. I discovered this the hard way with sperl, a version of perl designed to support set-UID perl scripts. I was trying to install a security patch on the regular perl program. Unfortunately, Red Hat's up2date program is not very smart and refused to install the new version of perl unless sperl also was present.

Fortunately, I could undo my work - just long enough to install the patch and to re-disable sperl. My technique is to create a directory called "off" in each directory that has a set-UID or set-GID program that I wish to disable. I create the "off" directory to be owned by root mode 700. Then, I just move the affected programs into their respective "off" directories. For example, one could do the following as root:

cd /usr/bin

mkdir off

chmod 700 off

mv rcp rsh rlogin sperl5.6.1 other stuff off/.

Forget about telnet and non-anonymous FTP too. Use ssh, scp, and sftp instead.

A Notable Exception

A notable exception is the list of programs that you will need but which should not be set-UID. The mount and umount programs constitute this list. They only need to be set-UID if you want to allow ordinary users to mount and unmount file systems. Not you? Good. Secure them by doing:

chmod 755 /bin/mount /bin/umount

Do Not Run Your Daemons As Root To Run Off Hackers

The only reason why most network daemons need to run as root is to open the well-known port for listening when the port number is less than 1024. Some daemons, such as Apache and named (DNS) can be configured so that once they open that port and do a little housekeeping, they will switch to run as a non-privileged user. Absolutely take advantage of this feature. Apache usually is set up to do this by default. Verify this by running the following command and verify that only one of the Apache daemons, the one whose PPID is 1, is running as root:

ps axl | grep httpd

The named program should be invoked with the -u flag to cause it to switch to run as an unprivileged user after opening its well-known port of 53 under both TCP and UDP. Even better would be to also use its -t flag to put it in a chroot jail. Many Distros now do this. Note that only an organization's DNS servers need to run named. Desktop and laptop systems usually should not run named. Note too that chroot jails cannot contain root processes since they can chew through the bars.

Good Security Is Like Good Health

To improve your health, stop smoking, eat a balanced diet, and lose weight. Following that advice alone will greatly improve your health. Likewise, taking the advice in this article will improve your system's security health substantially.

As with health, for those who want to improve their security more, there is no limit as to how far one can go. How far one should go depends on how important it is to not be broken into. For those that want to do more, please see my book:

"Real World Linux Security: Intrusion Detection, Prevention, and Recovery" 2nd Ed., Prentice Hall, (C) 2003, 848 pages, ISBN: 0130464562. Also available in Japanese, Chinese, Czech, and Polish.

Bob Toxen (interview) has 30 years of UNIX and 10 years of Linux experience, helped create Berkeley UNIX and ported UNIX to the Silicon Graphics workstation.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th