1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
msgid ""
msgstr ""
"Project-Id-Version: PACKAGE VERSION\n"
"POT-Creation-Date: 2010-10-22 00:56+0600\n"
"PO-Revision-Date: 2010-10-22 00:56+0600\n"
"Last-Translator: Automatically generated\n"
"Language-Team: none\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Language: ru\n"
"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n"
"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n"
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(version):10
msgid "1.1"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(date):11
msgid "2006-09-16"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):14
msgid "World readable"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):17
msgid ""
"Normal users should not have access to configuration files or passwords. An "
"attacker can steal passwords from databases or web sites and use them to "
"deface--or even worse, delete--data. This is why it is important that your "
"file permissions are correct. If you are sure that a file is only used by "
"root, assign it with the permissions <c>0600</c> and assign the file to the "
"correct user with <c>chown</c>."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):29
msgid "World/Group writable"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):32
msgid "Finding world-writable files and directories"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):32
#, no-wrap
msgid ""
"\n"
"# <i>find / -type f \\( -perm -2 -o -perm -20 \\) -exec ls -lg {} \\; 2>/dev/null >writable.txt</i>\n"
"# <i>find / -type d \\( -perm -2 -o -perm -20 \\) -exec ls -ldg {} \\; 2>/dev/null >>writable.txt</i>\n"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):37
msgid ""
"This will create a huge file with permission of all files having either "
"write permission set to the group or everybody. Check the permissions and "
"eliminate world writable files to everyone, by executing <c>/bin/chmod o-w</"
"c> on the files."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):47
msgid "SUID/SGID files"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):50
msgid ""
"Files with the SUID or SGID bit set execute with privileges of the "
"<e>owning</e> user or group and not the user executing the file. Normally "
"these bits are used on files that must run as root in order to do what they "
"do. These files can lead to local root compromises (if they contain security "
"holes). This is dangerous and files with the SUID or SGID bits set should be "
"avoided at any cost. If you do not use these files, use <c>chmod 0</c> on "
"them or unmerge the package that they came from (check which package they "
"belong to by using <c>equery</c>; if you do not already have it installed "
"simply type <c>emerge gentoolkit</c>). Otherwise just turn the SUID bit off "
"with <c>chmod -s</c>."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):62
msgid "Finding setuid files"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):62
#, no-wrap
msgid ""
"\n"
"# <i>find / -type f \\( -perm -004000 -o -perm -002000 \\) -exec ls -lg {} \\; 2>/dev/null >suidfiles.txt</i>\n"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):66
msgid "This will create a file containing a list of all the SUID/SGID files."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):70
msgid "List of setuid binaries"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):70
#, no-wrap
msgid ""
"\n"
"/bin/su\n"
"/bin/ping\n"
"/bin/mount\n"
"/bin/umount\n"
"/var/qmail/bin/qmail-queue\n"
"/usr/bin/chfn\n"
"/usr/bin/chsh\n"
"/usr/bin/crontab\n"
"/usr/bin/chage\n"
"/usr/bin/expiry\n"
"/usr/bin/sperl5.6.1\n"
"/usr/bin/newgrp\n"
"/usr/bin/passwd\n"
"/usr/bin/gpasswd\n"
"/usr/bin/procmail\n"
"/usr/bin/suidperl\n"
"/usr/lib/misc/pt_chown\n"
"/usr/sbin/unix_chkpwd\n"
"/usr/sbin/traceroute\n"
"/usr/sbin/pwdb_chkpwd\n"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):93
msgid ""
"By default Gentoo Linux does not have a lot of SUID files (though this "
"depends on what you installed), but you might get a list like the one above. "
"Most of the commands should not be used by normal users, only root. Switch "
"off the SUID bit on <c>ping</c>, <c>mount</c>, <c>umount</c>, <c>chfn</c>, "
"<c>chsh</c>, <c>newgrp</c>, <c>suidperl</c>, <c>pt_chown</c> and "
"<c>traceroute</c> by executing <c>chmod -s</c> on every file. Don't remove "
"the bit on <c>su</c>, <c>qmail-queue</c> or <c>unix_chkpwd</c>. Removing "
"setuid from those files will prevent you from <c>su</c>'ing and receiving "
"mail. By removing the bit (where it is safe to do so) you remove the "
"possibility of a normal user (or an attacker) gaining root access through "
"any of these files."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):106
msgid ""
"The only SUID files that I have on my system are <c>su</c>, <c>passwd</c>, "
"<c>gpasswd</c>, <c>qmail-queue</c>, <c>unix_chkpwd</c> and <c>pwdb_chkpwd</"
"c>. But if you are running X, you might have some more, since X needs the "
"elevated access afforded by SUID."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(title):116
msgid "SUID/SGID binaries and Hard links"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):119
msgid ""
"A file is only considered deleted when there are no more links pointing to "
"it. This might sound like a strange concept, but consider that a filename "
"like <path>/usr/bin/perl</path> is actually a link to the inode where the "
"data is stored. Any number of links can point to the file, and until all of "
"them are gone, the file still exists."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):127
msgid ""
"If your users have access to a partition that isn't mounted with <c>nosuid</"
"c> or <c>noexec</c> (for example, if <path>/tmp</path>, <path>/home</path>, "
"or <path>/var/tmp</path> are not separate partitions) you should take care "
"to ensure your users don't create hard links to SUID or SGID binaries, so "
"that after Portage updates they still have access to the old versions."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(warn):135
msgid ""
"if you have received a warning from portage about remaining hard links, and "
"your users can write to a partition that allows executing SUID/SGID files, "
"you should read this section carefully. One of your users may be attempting "
"to circumvent your update by keeping an outdated version of a program. If "
"your users cannot create their own SUID files, or can only execute programs "
"using the dynamic loader (partitions mounted <c>noexec</c>), you do not have "
"to worry."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(note):145
msgid ""
"Users do not need read access to a file to create a link to it, they only "
"need read permission to the directory that contains it."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):150
msgid ""
"To check how many links a file has, you can use the <c>stat</c> command."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):154
msgid "Stat command"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):154
#, no-wrap
msgid ""
"\n"
"$ stat /bin/su\n"
" File: `/bin/su'\n"
" Size: 29350 Blocks: 64 IO Block: 131072 regular file\n"
"Device: 900h/2304d Inode: 2057419 Links: 1\n"
"Access: (4711/-rws--x--x) Uid: ( 0/ root) Gid: ( 0/ root)\n"
"Access: 2005-02-07 01:59:35.000000000 +0000\n"
"Modify: 2004-11-04 01:46:17.000000000 +0000\n"
"Change: 2004-11-04 01:46:17.000000000 +0000\n"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(p):165
msgid ""
"To find the SUID and SGID files with multiple links, you can use <c>find</c>."
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre:caption):169
msgid "Finding multiply linked suid/sgid binaries"
msgstr ""
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(pre):169
#, no-wrap
msgid ""
"\n"
"$ find / -type f \\( -perm -004000 -o -perm -002000 \\) -links +1 -ls\n"
msgstr ""
#. Place here names of translator, one per line. Format should be NAME; ROLE; E-MAIL
#: ../../gentoo/xml/htdocs/doc/en/security//shb-perms.xml(None):0
msgid "translator-credits"
msgstr ""
|
GitWeb