The Set-User ID (SUID) and Set-Group ID (SGID) bits allow an application to be run as the user or group that owns the application. In most cases, the owner is root. The main reason for this is to give users the capability to modify files or have access to resources that require special privileges. The unfortunate aspect of this is that such applications can often be exploited to perform malicious operations or used to access private information. SUID and SGID files should not be treated lightly. Administrators should know which files on their system are SUID or SGID, especially those owned by root. The security implications of SUID and SGID files are covered in more detail in Chapter 4, “What Is This UNIX Thing?,”
Like many operating systems, Mac OS X has a number of installed SUID and SGID files. Many of these programs do not necessarily require such permissions; some are not even useful. This appendix provides a listing of all the installed SUID and SGID files. In addition, it provides suggestions for dealing with some of these files to improve the security of your system(s).
Table A.1 lists all the SUID and SGID files installed with Mac OS X and Mac OS X Server, and their ownership information. All listings in this appendix are based on Mac OS X and Mac OS X Server version 10.2.3, build 6G30.
Table A.1. Installed SUID and SGID Applications
FILE | OWNER | GROUP | SUID | SGID |
|---|---|---|---|---|
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | X |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | X |
|
|
| X | X |
|
|
| X | |
|
|
| X | X |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
|
|
| X | |
/Applications/Utilities/ Disk Utility.appContents/MacOS/ Disk Utility |
| X | ||
/Applications/Utilities/NetInfo Manager.app/Contents/MacOS/ NetInfo Manager |
|
| X | |
/Applications/Utilities/ODBC Administrator.app/Contents/ Resources/iodbcadmintool |
|
| X | |
/System/Library/CoreServices/ AuthorizationTrampoline |
|
| X | |
/System/Library/CoreServices/ Classic Startup.app/Contents/ Resources/TruBlueEnvironment |
|
| X | |
/System/Library/CoreServices/ Finder.app/Contents/Resources/ OwnerGroupTool |
|
| X | |
/System/Library/Filesystems/ AppleShare/afpLoad |
|
| X | |
/System/Library/Filesystems/ AppleShare/check_afp.app/ Contents/MacOS/check_afp |
|
| X | |
/System/Library/Filesystems/ cd9660.fs/cd9660.util |
|
| X | |
/System/Library/Frameworks/ ApplicationServices.framework/ Versions/A/Frameworks/ PrintCore.framework/Versions/A/ Resources/PrinterSharingTool |
|
| X | |
/System/Library/Printers/ Libraries/aehelper |
|
| X | |
/System/Library/Printers/ IOMs/LPRIOM.plugin/Contents/ MacOS/LPRIOMHelper |
|
| X | |
/System/Library/Printers/ Libraries/csregprinter |
|
| X | |
/System/Library/PrivateFrameworks/ Admin.framework/Versions/A/ Resources/readconfig |
|
| X | |
/System/Library/PrivateFrameworks/ Admin.framework/Versions/A/ Resources/writeconfig |
|
| X | |
/System/Library/PrivateFrameworks/ DesktopServicesPriv.framework/ Versions/A/Resources/Locum |
|
| X | |
/System/Library/PrivateFrameworks/ NetworkConfig.framework/Versions/ A/Resources/NetCfgTool |
|
| X |
In addition to the applications in Table A.1, Mac OS X Server has the following SUID and SGID applications shown in Table A.2.
The information in the Table A.1 and Table A.2 will probably change with future releases or updates to Mac OS X. The following command can be used to locate all SUID and SGID files on a system. This command also can be useful to locate any such files that may have been added since the initial installation.
sudo find / -xdev ( -perm -02000 -or -perm -04000 ) -ls -type f
The applications shown in the list that follows are all SUID apps that we suggest be removed. The remote applications (rcp, rdump, rrestore, rlogin, rsh) are of no real use on modern UNIX systems. The “ch*” applications (chfn, chpass, chsh) allow users to change their shell, finger information, and other credentials. Some administrators may not want their users to have such capabilities. Also, these applications are useless in most cases because Mac OS X defaults to storing this information in NetInfo, not the /etc/passwd file on which these applications operate. The sliplogin application has a dirty past that has lead to unauthorized access exploits. Previous versions of Mac OS X shipped a sliplogin program that contained a buffer overflow.
If you do not feel comfortable removing these programs, at least change them so that they are not SUID.
/bin/rcp/sbin/rdump/sbin/rrestore/usr/bin/rlogin/usr/bin/rsh/usr/bin/chfn/usr/bin/chpass/usr/bin/chsh/usr/sbin/sliplogin
The applications in this next list should probably have their SUID bits removed. All these are applications that should really only be used by administrators.
The applications in the list that follows should probably have their SGID bits removed. It was suggested previously that the remote applications (rdump, rrestore) be removed, or at least their SGID bits removed. The wall and write applications have a history of being exploited and are not necessary.
/usr/bin/wall/usr/bin/write/sbin/dump/sbin/rdump/sbin/restore/sbin/rrestore